Part 6 CSRF Lab Solution

Video Activity

This lab-based lesson allows participants to take part in a lab about cross site request forgery (CSRF). In this lesson, we see how easy it is to create an image that includes a URL with an extra parameter which allows funds to be transferred via using an image that looks like it belongs to a legitimate financial institution.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

MicroCourse
Time
9 hours 31 minutes
Difficulty
Beginner
CEU/CPE
3
Video Description

This lab-based lesson allows participants to take part in a lab about cross site request forgery (CSRF). In this lesson, we see how easy it is to create an image that includes a URL with an extra parameter which allows funds to be transferred via using an image that looks like it belongs to a legitimate financial institution.

Video Transcription
00:04
Hello and welcome to the cyber very secure coding course.
00:08
My name is Sonny Wear, and this is a loss. Top 10 for 2013 8 Cross site request. Forgery Lab in solution. We're going to use Web goat see serve, exercise
00:23
the cross eyed request forgery lesson.
00:26
So in the lesson, what you'll notice is it gives you some instructions on
00:35
basically how to perform the exploit.
00:39
Now
00:40
let me let me explain what we're trying to do here, It says The goal is to send an email to a newsgroup that contains an image. Who's your URL is pointing to a malicious request, so remember
00:55
that she serve can be accomplished through a couple of different ways.
00:59
You can either have your victim
01:02
click on it a malicious link
01:04
that may be at what's called a watering hole. So and that's sort of what the simulation is trying to show.
01:14
So in this simulation,
01:17
it says, try to include a one by one pixel image that includes the U. R L.
01:23
The U R L should point to the Sea surf lesson with an extra parameter of transfer funds equal to 4000
01:33
and then it goes on it says you can copy the shortcut from the left hand menu,
01:38
so
01:38
it's pretty easy to figure out what this link is. In fact, there's ah parameter value listing that's given. So I know it's Screen 52 its Menu 900. I could easily get that other ways to it could use the developer tool
01:57
inside of Firefox.
02:00
So anyway, that's pretty easy to get. So what I've done is I've constructed my HTML,
02:09
and I've created an image that has a width of one in the height of one because that's what it said
02:15
include a one by one pixel image that includes a U. R L.
02:21
The girl needs to point to the lesson, but has this extra parameter at the end.
02:27
So this is the Euro lesson here. Screen is equal to 52 menu is equal to 900 then I've got the
02:36
and transfer funds to 4000.
02:40
So
02:42
most of the Ural is, of course, fine. But it's just the last portion that is,
02:51
that is nefarious. So
02:53
if I were to load this up,
03:00
it looks like nothing happened. It looks fine,
03:06
but think, Think of this as if the link were to be given to the end user as an authenticated user, let's say maybe in an email.
03:15
And so the user has their bank open on this tab and their email open on this time, which is certainly a viable situation,
03:28
and they happen to see Oh my
03:31
my bank just sent me an email.
03:35
Let me click that link. And so, even though the images and everything would be copied and made to look just like the bank,
03:44
they had inadvertently transferred some money to to some other account.
03:52
So that's how one way that that could happen the other way that this link could get here is if
04:00
there's an actual planted cross site scripting attack on the page itself. And so when the user clicks
04:09
an image or clicks this submit, they actually invoke that malicious script behind scenes.
04:16
And also, if it's a newsgroup that allows for the posting of information and there's no sanitation done,
04:27
then it would be very easy to to put the malicious link
04:33
into the posting.
04:39
Great.
04:40
So
04:41
so that would make the the link clickable right there on the trusted page. Right?
04:48
So because there is no check
04:53
when when either this was clicked or
04:59
some other
05:00
external link was clicked because there was no validation done in either request on the server side.
05:09
To ensure that
05:11
these requests came on Lee from
05:15
the place of origination,
05:16
then the sea surf attack is successful.
Up Next