A Cross Site Request Forgeries Toolkit

BSides London - 29th April 2014


What is this talk about?

  • (Quick) Recap about CSRF attacks
  • Presentation of the tool
  • Demos 
  • Issues in Web architecture
  • Mitigation
  • Little surprise

Slides available here: paulsec.github.io/bsides-london-2014/

    Who am i? 

    • (French) Student, M. Sc in Computer Science
    • Passionate about (Web) Security
    • Open source developer

    Twitter: @PaulWebSec

    Github: PaulSec                 

    CSRF Recap

                             Fig. Exploitation of CSRF vulnerability

    Why csrft?

    I wanted something:                       

    • Lightweight
    • Cross-platform
    • Open Source
    • Can combine CSRF attacks

    There was no toolkit for this...

    how does it work?

                                                        Fig. Usage of CSRFT

    how is it made ?

    • HTTP Server developed in Node.js

    • Can fake either GET/POST Requests
      • Creates payloads (forms) on-the-fly

    • Client/Server side full JavaScript
      • Communication in JSON

    MORE features

    • Can create scenarios
      • By combining CSRF flaws

    • 2 attack methods possible
      • Special value (craft specific payload)
        Eg. Change user's password
      • Dictionary attacks
        Eg. Try to log the user in

    Additional tools

    • JavaScript Proxy 

    Tampers with requests, injects Web page with malicious iframe

    Inspired by Chema Alonso and his talk:

    Owning Bad Guys {And Mafia} With Javascript Botnets  @ Defcon 20

    • Python utility

    Command-line tool that automates usage

    Time for some demos?

    DEMO (1/2)

    Custom Scenario

    1. Try to attempt to log the user in
    2. Send some malicious payloads
    3. Log the user out

    Completely transparent attack

    Demo (2/2)

    Demo using automated tool

                        Automated attack with the Python (command-line) Utility
                        Send a crafted request to change admin's password

    bad design in web app (1/2)

                                                                          No token in login form

                                                                             the rest of the application
                                                                   can then be targeted

    bad design in web app (2/2)

                                                                               No token to change password

                                                                           Vulnerable if weak credentials


    • Request Token
      • Random generated token
      • Verified on server-side
      • One of the most-used mechanisms

    • Re-Authentication
      • If weak password? ... Not good!

    • Captcha, Timeout, NoScript (with) ABE


    • Created a (vulnerable) VM
    • Will be hosted on VulnHub
    • Must exploit CSRF flaws to get root access..

    Good luck!

    Questions ?

    Code available here: https://github.com/PaulSec/CSRFT/


    By paul38


    CSRFT Talk at BSides London

    • 1,711