Every CSRF token need not be verified in order to prevent CSRF

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. – Wikipedia

devsigh_gets_me_back

I had an interesting encounter with CSRF last week , one of them is yet to be fixed. Here is an interesting low impact issue

These days almost every form on a website use CSRF protection by default. Every time website load  , CSRF token should be different/unique/unpredictable . But this is not the case with 80% of websites out there. I’ll be explaining this two examples one is Dropbox and other is move-app(Facebook)

Let’s start.

Most of the dynamic website contain Sign in functionality as well as forgot password to recover the account.

“Most of the forgot password forms are vulnerable by design , a good practice is to ask a security question before sending reset link” – Aditya

My area of interest was CSRF token for the visitors , public forms like reset password ,sign in ,feedback and all. These tokens are session based (when the site load session started till you close  the browser).

The issue was token remains same for a particular session . For e.g when you submit reset password request first time , token is x, now every time you request areset password  token will be same x.

I thought to abuse this , I made a PHP crawler that will crawl the hidden CSRF value and thought to add token field with my CSRF form . here is the PHP code to extract all the input values from Coinbase.

<?php
$doc = new DOMDocument();
@$doc->loadHTMLFile(“https://www.coinbase.com/password_resets/new&#8221;);
$doc->saveHTML();
$tags = $doc->getElementsByTagName(‘input’);

foreach ($tags as $tag) {
$x= $tag->getAttribute(‘value’).’|’.$tag->nodeValue.”\n”;
echo $x;
}
?>

I tried to submit my form by scrapped CSRF token ,  badass idea. Didn’t worked , because my page was not creating any session.

Now , the goal was clear I have to use my session to abuse the CSRF. So, what I did is copied my cookie and token and used cookie with document.cookie and token value, this time Bingo !. Continue reading