December 23, 2010 at 9:33 am #5908AnonymousParticipant
I would like to ask any of you, how you approach CSRF testing in Professional PenTest Black Box projects. In my opinion, it seems that CSRF can only be tested through Social Engineering (extremely rare) or by breaking authentication some way (Password Cracking) in order to be able and see how and what requests are handled.
Is there something I’m missing?
December 23, 2010 at 2:01 pm #37017caissydParticipant
Hi Hordakk, long time no see! ;D
I did a similar test about 3 months ago. Sorry I am currently in a rush, I will try to add more details later. The way I approached it is in two parts:
A) Figuring out requests between the browser and the server
– Create an account on the tested web site;
– While trying all possible scenarios, sniff every single requests and responses between your browser and the server.
B) Figuring out how the session is managed
– Are they using “anti-CSRF” techniques?
– If not, try to craft a single URL (usually quite complex) that tries to reproduce each functionalities found in step A). Execute then on your logged in machine.
– If at least one crafted URL succeed, you have just found a CSRF vulnerability.
– Finally, just draft a fake email that demonstrate how a user could click on a link and trigger some activity on the web server. You can also add your URL in a fake Christmas executable (dancing santa, etc) or something like that.
CSRF examples almost always use money transfer or things like that. A CSRF vulnerability could ba as simple as login the user out or just change the way things are displayed. But everything found in a pentest is valuable for the client. They will be scared to “miss” something bigger next time…
And all this was achieve in a Black Box pentest, without really involving social engineering (because you can test it yourself).
December 24, 2010 at 9:08 pm #37018AnonymousParticipant
Hey there H1t M0nk3y, indeed, it’s been a while since my last time in EH-Net 🙂
I was busy by the job/employer-switching process…. actually devoured by it… 😛
Thank you very much for the helpful reply. I really liked your suggestions and sound 100% valid and actually hassle-free.
My mistake for not making it clear enough from the beginning: the problem in my assignment would only be that there is no way to create an account (3 factor authentication). The black box testing agreement and planning involve unregistered user access. In other words, no way to create a user account and access protected resources.
Nevertheless, your answer will be of help to me in every other occasion!
December 25, 2010 at 12:27 pm #37019caissydParticipant
Woo, going after 3 factor authentication is indeed another ball game. I understand more your worries now.
Good luck, I hope you will find something “interesting” on this site… 😉
- You must be logged in to reply to this topic.