2

given a website, how to detect potential CSRF vulnerabilities?

thanks in advance

maroxe
  • 2,057
  • 4
  • 22
  • 30
  • 2
    Any request, whose parameters can be guessed/predicted by a third party, is vulnerable to CSRF. – Gumbo Jul 17 '14 at 05:29
  • If I may extend: Any value from any other system not within your codes memory execution space that can be guessed/predicted by a third party, is vulnerable to CSRF. – hakre Jul 21 '14 at 18:49

2 Answers2

5

This is a CSRF attack:-

A page on www.evil.com that the victim is enticed to browse contains the following code:- 

<form method="post" action="https://www.example.com/executeAction">
    <input type="hidden" name="action" value="deleteAllUsers">
</form>

<script>document.forms[0].submit()</script>

As the victim is logged into your site (www.example.com) as an admin user, the form submission works and all users are deleted from your system.

The Synchronizer Token Pattern is the recommended way to fix this vulnerability. This will add a cryptographically secure random string known as the token to your form when loaded on your site by a legitimate user that has been stored on the server side and paired to the user session. When the form is submitted, your system will check that the token POSTed matches the one expected. Any attacker cannot read the token from your site as any cross site access is protected by the Same Origin Policy.

A web security scanner can usually detect these sort of vulnerabilities on your site. You can check manually by inspecting forms submitted by the browser mechanism to find out if they contain a token field. However, AJAX submissions may use another method such as the Origin header or X-Requested-With.

Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
2

You need to understand that what is CSRF in order to detect CSRF vulnerability.

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.

Basic CSRF vulnerabities appears when backend application doesn't check out form sended by client with intentional. In order to understand that request is sended with intentional or not, you need to use Token in html form then check that token out at backend.

For example:

<form action="/setting/emailchange.php">
<input type="hidden" name="csrf_token" value="RANDOM_STRING_HERE"
<input type="text" name"email" value="" placeholder="Type new email">
</form>

You see there is a hidden input field named as "csrf_token". As an attacker we can not predict that value because it generated for related user and stored in session. Backend application will not process that request without valid csrf_token value.

As a result, if you don't see any csrf token in html form, that means it s possible to vulnerable against CSRF.

Further info : https://www.acunetix.com/what-are-csrf-attacks/

Mehmet Ince
  • 1,298
  • 9
  • 20