IV. Identifying CSRF Vulnerabilities – Manual Testing Techniques
Now that your test environment is ready, it’s time to dive into manual CSRF testing. In this section, we’ll cover various techniques to help you identify CSRF vulnerabilities in your web application.
A. Reviewing the Application’s Functionality
- Identifying State-Changing Requests
The first step in manual CSRF testing is to identify state-changing requests within the application. These are requests that modify data or alter the application’s state in some way, such as updating user information, changing passwords, or making a purchase. Look for HTTP methods like POST, PUT, DELETE, and PATCH, as these are commonly associated with state-changing actions.
- Understanding the Application’s CSRF Protection Mechanisms
Next, analyze the application’s CSRF protection mechanisms. Look for the presence of CSRF tokens in forms or HTTP headers, and observe how they’re generated, validated, and handled. Take note of any SameSite cookie settings and other security measures in place, such as Content Security Policies or Referrer Policies.
B. Testing for CSRF Vulnerabilities
- Crafting CSRF Exploit Requests
To test for CSRF vulnerabilities, you’ll need to craft exploit requests that trigger state-changing actions without the user’s knowledge or consent. There are several ways to do this:
a. Using HTML Forms
Create a malicious HTML form that mimics the target application’s legitimate form, but with altered action attributes to point to the vulnerable endpoint. When the victim submits the form, it will send a request to the targeted application with their session cookies, potentially triggering the undesired action.
Craft a malicious script that generates and sends an XMLHttpRequest or Fetch API request to the target application with the victim’s session cookies. When the victim visits a page containing the script, it will automatically execute and send the crafted request, potentially causing unintended actions.
- Bypassing CSRF Protection
Sometimes, applications have CSRF protection mechanisms in place that need to be bypassed to execute a successful attack. Here are some techniques to consider:
a. Token Leakage
Check if CSRF tokens are leaked via URLs, Referer headers, or other insecure means. If a token is leaked, an attacker may be able to obtain it and include it in the malicious request, bypassing the CSRF protection.
b. Weak Token Generation
Examine the CSRF token generation process for weaknesses, such as predictable patterns or the use of weak random number generators. If the token generation is flawed, an attacker may be able to guess or generate valid tokens, rendering the protection mechanism ineffective.
c. Insecure Token Handling
Look for cases where the application fails to validate CSRF tokens correctly, such as not checking the token’s existence or matching it against the user’s session. If the application doesn’t handle tokens securely, an attacker might bypass CSRF protection by sending requests without a token or with an incorrect token.