Hello guys! In previous article we learned what is Cross Site Request Forgery (CSRF) and how it works. This time we are going to learn how to test for CSRF vulnerabilities.
So lets keep it simple
Every input form is vulnerable to CSRF unless some security measures are being used.
Yeah you read it right, every input form is vulnerable to CSRF unless some security measures are being used.
But what kind of security measures?
Well the most common method to defend against CSRF is to use a CSRF Token.
What is a CSRF Token and How it works?
Here’s a simple input form which submits a value “amount” to the page money.php:
<form action="http://example.com/money.php" method="POST"> <input type="text" name="amount"> <input type="submit"> </form>
This form is potentially vulnerable to CSRF.
Now lets add a hidden input form which automatically submits a long and random string called a CSRF Token.
<form action="http://example.com/money.php" method="POST"> <input type="hidden" name="_token" value="mc78P887bcPncYhoAdloizdc9njblCb"> <input type="text" name="amount"> <input type="submit"> </form>
CSRF Token changes everytime you visit the webpage so its impossible for the attacker to guess what would be the CSRF Token for a new request from the victim.
A CSRF Token can also be implement in cookies but most of the times you will find it.
But if the attacker finds an XSS vulnerability in the website then its a piece of cake to bypass the CSRF Token thing. That’s why there’s another security practice that used by wise people, Same Origin Policy (SOP).
Same Origin Policy
To understand what is SOP, try asking your telecom service provider to lock your SIM card. They will ask you to confirm you are the same person who owns the SIM card to make sure that someone else is not trying to lock it.
If you want to check if a website uses SOP or not, just check the HTTP headers.
Thats all. Next time when you want to check if a input form is vulnerable to CSRF, just check webpage’s source code to see if there is some token mechanism and also take a look at HTTP headers to see if SOP is in use.
Keep Learning! Keep Hacking!
Also Read: WAF, IPS and IDS : Working Explained