Security (2 Part Series)
This article was originally published at: https://www.blog.duomly.com/what-is-csrf-attack-tutorial-for-beginners/
Today we will talk about what is CSRF attack.
Did you know somebody can steal your money by using just a simple image?
In this tutorial, I will show you how, and we will hack an online casino together!
In the first post about web security, we were talking about hacking a bank app by SQL Injection.
Link is here:
Today we will focus on something else, but still dangerous, and quite easy to do.
It's especially dangerous because many websites and applications are vulnerable to this attack.
You will learn what a CSRF attack is and why the CSRF attack can be dangerous.
Next, we will discuss how to make a CSRF attack and how to secure the app.
If you prefer video, here is the youtube version:
CSRF is a type of security vulnerability that allows an attacker to perform any action on another application.
Especially in a situation, the one where the victim is authenticated, and we would like to make him any action for us.
It's more focused on change the internal state of the app than push data out to the attacker.
CSRF attack can be very dangerous, especially when we will mix it with the XSS one.
It's mostly targetted to do action in our authenticated account, but without our knowledge and permission.
For example, imagine the situation when we are a reader of any community forum. We are logged in to our email or bank account in different one browsers window.
An attacker can upload a malicious image to the forum.
It can be enough we will just see his post, the next code from the image will do call to our email account.
This call can change the settings of our email account.
Like for example, all of the emails that will come to our inbox can be forwarded to the attacker's inbox as well.
In this section, I will show you a few critical (for me) methods that can prevent your application from the CSRF attack.
It's not all that you can do, but these are crucial, in my opinion.
It's worth doing research and study more of them because maybe in your project there will be needed some more security.
I used a pointed-list to make it as clear as possible.
1. Tight CORS and accept calls only from a known origin
2. Use same-site cookie
3. Use CSRF token
4. Use sessionId, only for this session
5. Use your custom headers in calls
6. Never use GET for the call that should do something else than just return data
7. Avoid developing features that will do any special action only by visiting URL
VirtualBox or VMware:
You can find the VirtualBox (it's free), or buy/use a trial of VMware(it's better).
Web Security Dojo:
Web Security Dojo is an operating system with a lot of useful tools like burp, Nikto, or sqlmap that you can use to train your hacking skills.
The second important fact is that Web Security Dojo contains a few targets that you can legally use to hack.
You can download it from this link:
Knowledge how to use SQL Injection:
In this lesson, we will use SQL Injection to pass authentication of the Casino, and it will be necessary.
Don't worry if you don't know how to use it yet!
In the previous episode, I've created a whole lesson about basic SQL Injection.
You can learn and train it there.
Here is the blog post of the "What is SQL Injection attack tutorial":
And here is the youtube version:
Very basic HTML:
We will use HTML to create some template of the page with malicious code.
We will use that template to hack the Casino later.
If you do not know how to use HTML yet, don't worry!
You can just follow what we do in today's lesson, or you can do a whole html&css course here:
HTML and CSS course
Start the machine:
The first step that we need to is to run the whole environment.
Run your Web Security Dojo by VMware or VirtualBox, and wait until it loads.
Start the Casino:
When our Web Security Dojo is loaded, we need to run the Casino.
The first step is to go into the menu (it's that blue icon on the top left corner).
Next, you should open a tab named "Targets".
And, as the last step, you should click on the "Hacme Casino Start".
Your server should load, now you can open the Casino.
Go into the browser and type in the address bar:
Hack the authentication:
When you visited that URL, you should see the Casino's website and a login form.
We do not know the login and password to the ace's account.
So we can hack it by SQL Injection.
You can hack it by some of the methods that you already learned in the previous lesson or use that one below.
Password input should be empty, and in the user's input you should type:
') OR 1=1 —
Prepare the malicious website:
Congratulations, you've hacked access to the ace's account!
Next, we should create some malicious website, that we will put our image with the fake-URL, that will do a call to the Casino (where our victim is loggedIn).
First, you need to create a folder for that, and next, you need to create the index.php file with the code.
Look at the example below:
<html> <head></head> <body> <h1>Greetings from Duomly</h1> <img src="http://localhost:3000/account/transfer_chips?transfer=1000&login=andy_aces&commit=Transfer+Chips"/> </body> </html>
Run the malicious website:
The next step is just to run our PHP server that will host our malicious site.
Open the terminal in the directory that contains our code and type:
php -S localhost:8000
Login as bobby_blackjack:
In this step, we need to be a victim for a while.
We need to log in as a victim and take a look at our (victim's) profile or balance.
Here are the credentials that we can use.
login: bobby_blackjack pass: twenty_one
Open the malicious website when a victim is logged in (bobby_blackjack):
Now the fun is starting!
We need to send the malicious URL to the victim and expect he will open it.
Next, when the page loads, the malicious code will render the image.
The image has the malicious link that will be fired and will send some money from the victim's account into the "andy_ace", that is our account in this case.
Logout and login as the andy_ace:
After the proper attack, we can log in to the andy_ace account by using SQL Injection again.
Do you see a larger amount of money?
You've stolen money from the bobby_blackjack!
Now you know what CSRF is, why CSRF attack is dangerous, and how to make the CSRF attack.
You know as well how to secure your app from the CSRF attack.
Follow us to get more popular web-security skills, and comment on what you would like to learn in the next lessons!
Remember, you cannot hack the software or apps that you aren't an owner or have not the owner's permission.
It's illegal and can have huge consequences.
Thanks for reading,
Radek from Duomly