Welcome to HBH V2 ! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

PenTest 2 CSRF

gobzi's Avatar
0 0

Hello all,

First of all what is the point to CSRF an app that you already accessed as the only user (MoshBat). Anyways!

For the past couple of weeks I'm trying to get the 40 CSRF pts, but as you already guessed without any luck. The app doesn't use any CSRF tokens or re-auth meaning that almost anything is CSRFable.

I've tried to CSRF the register area, which gives me the error "You have already found this exploit!", meaning that my form works fine.

I've already read synstealth's article (https://www.hellboundhackers.org/articles/read-article.php?article_id=975) and I believe that "edit news" is the place, isn't it? (if it isn't please let me know :o ).

The form that I've used is: ```markup <html> <body>

<FORM action="https://www.hellboundhackers.org/challenges/pentest/pentest2/index.php?page=editnews&&edit=01" METHOD="POST">

<input type="hidden" name="change" value="<img src='http://i.imgur.com/0Ck9gp9.jpg'/>"></input>

</FORM> <script>document.forms[0].submit();</script>

</body> </html>

Any help would be appreciated since it already gets on my nerves! :@

Huitzilopochtli's Avatar
0 9

This challenge almost tells you what to do for every step, so there's one link that stands out more than the rest, and it's the obvious choice for the CSRF. 

An obvious advantage of having the owner run the CSRF is the last log entry will have his IP and not yours, also it adds to the lolz.

Also, just because you did a regular login with the owners account doesn't automatically give you admin rights, usually there would be a secondary admin panel with a separate password to safeguard against that

You can PM me what you're trying if you're still stuck.

gobzi's Avatar
0 0

Thanks for the reply m8.

I'm gonna check it now since I didn't have enough time to spare at weekend :D

gobzi's Avatar
0 0

Well it was pretty much straight forward, but what I don't get is that the Delete account page doesn't have any CSRF protection to begin with (no tokens or reauth etc).

If that was a live app, I could craft a malicious page that would send a "legitimate" request (as soon as the authenticated victim visits my page), with the "confirm=YES".

The app would respond: Oh hi! That's a request from an authenticated user! Let's delete his account!

So, what's the point of doing that via e*** ***s?! :o

rex_mundi's Avatar
☆ Lucifer ☆
3,050 4

First you'd have to actually lure him to your exploit page, but he could visit your page when he's not logged in as admin on his own site, and nothing would happen, or he could view the source and the game would be up.

I suppose leaving it there would be a better way of ensuring he's logged in when he views the page with the CSRF, and since its his own site, he'd be less suspicious.

Even if the page is protected by an anti CSRF token you're still not really safe. If there is an XSS hole somewhere else on the site, you can chain the vulnerabilities together, and use the XSS on his site to first, get the valid token from the form, build the attack form with the retrieved token, and then submit the form automatically on viewing, without him ever seeing a thing.