Cross-site request forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application to which they are currently authenticated.
CSRF vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has issued a particular request. Because browsers automatically add cookies to requests regardless of the request's origin, it may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable application.
In Burp Suite, intercepting Proxy lets you inspect and modify traffic between your browser and the target application. Therefore by using Proxy tab in Burp Suite, we can intercept the communications between a client (such as a Web browser) and the server. For this, set up your browser (Iceweasel), in Kali, to use a Proxy (127.0.0.1 on port 8080). Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Nov 14, 2018 We can also leverage Burp Suite’s web spider functionality to try to discover API pages. After manually navigating your target’s website while capturing traffic into Burp’s proxy and adding the site to your selected scope ( right-click the target site in TargetSite Map, add to scope ), perform a crawl by selecting the host URL and right.
In this example we will be using Burp's CSRF PoC generator to help us hijack a user's account by changing their details (the email address associated with the account) on an old, vulnerable version of 'GETBOO'.
The version of 'GETBOO' we are using is taken from OWASP's Broken Web Application Project. Find out how to download, install and use this project.
Burp Scanner is able to locate potential CSRF issues.
The Scanner identifies a number of conditions, including when an application relies solely on HTTP cookies to identify the user, that result in a request being vulnerable to CSRF.
To manually test for CSRF vulnerabilities, first, ensure that Burp is correctly configured with your browser.
In the Burp Proxy 'Intercept' tab, ensure 'Intercept is off'.
Visit the web application you are testing in your browser.
Ensure you are authenticated to the web application you are testing.
In this example by logging in to the application.
You can log in using the credentials user:user.
Access the page you are testing.
Alter the value in the field/s you wish to change, in this case 'Email'.
In this example we will add a number to the email.
Return to Burp.
In the Proxy 'Intercept' tab, ensure 'Intercept is on'.
Submit the request so that it is captured by Burp.
In the 'Proxy' tab, right click on the raw request to bring up the context menu.
Go to the 'Engagement tools' options and click 'Generate CSRF PoC'.
Note: You can also generate CSRF PoC's via the context menu in any location where HTTP requests are shown, such as the site map or Proxy history.
In the 'CSRF PoC generator' window you should alter the value of the user supplied input.
In the same window, click 'Copy HTML'.
Open a text editor and paste the copied HTML.
Save the file as a HTML file.
In the Proxy 'Intercept' tab, ensure 'Intercept is off'.
If necessary, log back in to the application.
Initially we will test the attack on the same account.
Open the HTML file in the same browser.
Dependent on the CSRF PoC options you may need to submit the request or it may be submitted automatically.
In this case we are submitting the request manually.
If the attack has been successful and the account information has been successfully changed, this serves as an initial check to verify whether the attack is plausible.
Now login to the application using a different account (in this example the admin account for the application).
Once you are logged in, perform the attack again by opening the file in the same browser.
The attack is successful if the account information in the web application has been altered.
A successful attack shows that the web application is vulnerable to CSRF.
For the attack to fire in a real world environment, the victim needs to access a page under the attacker's control while authenticated.
In our example web application, a new password can be set for the account using the email address. In this way an attacker could gain full ownership of the account.
To determine whether your application is vulnerable it is important to keep abreast of the security status of the components that it uses. Vulnerabilities are reported to central clearing houses such as CVE and NVD.
Attackers are able to identify a weak component through scanning or manual analysis of a web application. You can simulate this process using Burp. In this example we assess one potential vulnerability of a web server.
Burp Suite Test Website Reviews
First, ensure that Burp is correctly configured with your browser.
Ensure Burp Proxy 'Intercept is off'.
Visit the web application you are testing in your browser.
Next, click the “HTTP history” tab.
In the HTTP history table select one of the captured request and response rows.
Click the “Response” tab.
Information regarding the web server used by the web application is provided in the response.
From either the “Raw” or “Headers” tab, make a note or copy the Server name and version number.
With the server information at your disposal you can now use a search engine or one of the central clearing houses to check whether your web server has any known vulnerabilities.
Burp Suite Program
Vulnerable components are usually fixed in a later version of the software. Upgrading or patching any components used by your web application is critical when securing your applications.
Additionally, it is possible to use the 'Software Version Reporter' from the BApp store to passively scan for server software version numbers.