Exploiting and Finding CSRF Vulnerabilities

Overview

We’ve discussed what CSRF is and its various types. We’ve looked at a few simple examples as well. It’s now time to learn how to test for this vulnerability, automate the process, and do a bit of practice.

Discovering CSRF vulnerabilities

The standard methods for discovering CSRF vulnerabilities include:

  • Manual testing: This involves manually sending requests to the web application and analyzing the responses to determine if the application is vulnerable to CSRF attacks. Tools such as Wireshark and Burp Suite are often invaluable in this case.

  • Using a tool: Tools such as OWASP ZAP and Burp Suite have a fair success rate when it comes to discovering CSRF vulnerabilities automatically.

  • Static code analysis: This involves reviewing the source code of the web application to identify any potential vulnerabilities. This can be done manually or by using an analysis tool.

Tools for discovering CSRF vulnerabilities

Using tools can often save time and help in catching vulnerabilities manual testing might sometimes miss. As such, it’s imperative that we provide a brief list of some popular choices:

  • Burp Suite: This is a widely used web application security testing tool with several features for testing CSRF vulnerabilities. It allows us to intercept and modify HTTP requests and analyze responses to identify potential vulnerabilities.

  • OWASP ZAP (Zed Attack Proxy): This also allows us to intercept and modify HTTP requests and analyze responses. Being open source is a huge plus as well.

  • Wireshark: Wireshark’s capability of capturing individual packets and showing the request being sent in detail can often provide lots of clues.

Tools are nice, but at the end of the day, being overreliant on them spells bad news. A combination of certain tools and some manual digging is always a good approach to finding vulnerabilities.

Practice

Let’s now perform some basic CSRF attacks so we can truly understand how they work.

Finding a CSRF vulnerability

We’ve already used Acunetix’s vulnerable web application for several previous test cases. Let’s now use it once more:

  1. Open the website’s home page, http://testphp.vulnweb.com/, in your own browser.

  2. Open the DevTools and then the “Networks” tab.

  3. Search for any query in the search field in the sidebar of the site. We’ve gone with hello.

  4. Click search.php?test=query to show the request sent and the response received. We’re interested in the request. Another point of interest is the contents of the “Payloads” tab. Refer to the image below for what should be visible.

Get hands-on with 1200+ tech skills courses.