Fontys S4

Cross-site request forgery

Now I'm going to exploit CSRF on a website. The principles are quite simple, if you see the query that is called in the search bar, then the website might be vulnerable.

As you can see in the search bar the website creates a query. If I would send this query without the form it would work as well but only for me. So I need to get this link to an user fill in my own password and make him click it.

So I created a little phishing email using HTML. By using HTML I can make the email as legit as possible. By hiding the actual link in a text or even adding the DVWA logo. If I would know how they normally would send emails to their users, I could fully recreate it and you won't see the difference.

The user would get an email like this and if you add urgency to the message, the user might not even think about any red flags because they feel the need to act as fast as possible.

Now the user got send to the same page to change your password, but I already changed it when it loaded the page.

Now if the user tries to login he can't because the password is changed, and I can log into his account and exploit it as much as I want.

These type of attacks can be prevented by using things like a CAPTCHA or asking the user to fill in their old password. Even though this cannot fully prevent this type of attack it will make it a lot harder to succeed