HOW SERIOUS IS CROSS-SITE REQUEST FORGERY (XSRF OR CSRF)?
Cross-site request forgery is attacking website as a legitimate and trusted user that tricks the victim submitting a malicious request. An attacker may forge a request to log the victim into a target website CSRF, this could even lead to further damage.
The attacker often takes advantage of the fact that the user is already authenticated, but with some types of this attack. Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. Utilizing social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific ‘task URL’. The task then executes with or without the user’s knowledge, either directly or by utilizing a Cross-Site Scripting flaw It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can’t be circumvented
As a webmaster, however, you should not assume that you are protected from CSRF attacks when you see anti-CSRF tokens used in your web applications.
BURP SUITE:
Burp Suite is an integrated platform for performing security testing of web applications Burp to test the security of their applications. Some of Burp’s more advanced features will take further learning and experience to master It is not a point-and-click tool but is designed to be used by hands-on testers to support the testing process.
It was developed to provide a comprehensive solution for web application security checks. In addition to basic functionality, such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer A penetration tester configures their Internet browser to route traffic through the proxy which then acts as a sort of Man In The Middle by capturing and analyzing each request and response to and from the target web application.
Step: 1 Here how to test CSRF test manually configure burp suite with your browser
Step: 2 Take authenticated web application Testing Site You can log in using the credentials test:test.
Step 3: Then value in the field you can change the name email ID PH: NO Example Name Open Burp Proxy open the Tab Intercept On
Step: 4 Update the filed Submit the request so that it is captured Burp Proxy the Raw
Step: 5 Right Click Go to Engagement tools Generate CSRF PoC Option
Step : 6 PoC Generated Copy the HTML Open Note pad paste the HTML
Step:7 Modified the data As Test Username Email ID abc@gmail.com
Step: 8 Then Save It has test.html Open another browser login the Test site as test user click and Open the Test.html file submit the request
Step: 9 Attack has been successfully accounting information has been changed serves as an initial check to verify whether the attack is possible web application has been altered. A successful attack shows that the web application is vulnerable to CSRF
Cross-site request forgery is an understated attack technique that can be exceedingly deadly. In some cases it can lead to the complete compromise of a web-based system. We at BriskInfosec take care of the complete web application security testing helping the developers to develop their website and application in a secure manner.
For further information please feel free to get in touch with us @ Contact@briskinfosec.com
AUTHOR
Surya
Security Engineer
BriskInfosec Technology and consulting PVT LTD
No comments:
Post a Comment