.

CSRF Black Box Testing

<<

JollyJokker

Post Thu Dec 23, 2010 4:33 am

CSRF Black Box Testing

Hello all,

I would like to ask any of you, how you approach CSRF testing in Professional PenTest Black Box projects. In my opinion, it seems that CSRF can only be tested through Social Engineering (extremely rare) or by breaking authentication some way (Password Cracking) in order to be able and see how and what requests are handled.

Is there something I'm missing?

Hkk.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Dec 23, 2010 9:01 am

Re: CSRF Black Box Testing

Hi Hordakk, long time no see!  ;D

I did a similar test about 3 months ago. Sorry I am currently in a rush, I will try to add more details later. The way I approached it is in two parts:

A) Figuring out requests between the browser and the server

- Create an account on the tested web site;
- While trying all possible scenarios, sniff every single requests and responses between your browser and the server.

B) Figuring out how the session is managed

- Are they using "anti-CSRF" techniques?
- If not, try to craft a single URL (usually quite complex) that tries to reproduce each functionalities found in step A). Execute then on your logged in machine.
- If at least one crafted URL succeed, you have just found a CSRF vulnerability.
- Finally, just draft a fake email that demonstrate how a user could click on a link and trigger some activity on the web server. You can also add your URL in a fake Christmas executable (dancing santa, etc) or something like that.

CSRF examples almost always use money transfer or things like that. A CSRF vulnerability could ba as simple as login the user out or just change the way things are displayed. But everything found in a pentest is valuable for the client. They will be scared to "miss" something bigger next time...

And all this was achieve in a Black Box pentest, without really involving social engineering (because you can test it yourself).
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

JollyJokker

Post Fri Dec 24, 2010 4:08 pm

Re: CSRF Black Box Testing

Hey there H1t M0nk3y, indeed, it's been a while since my last time in EH-Net :)

I was busy by the job/employer-switching process.... actually devoured by it... :P

Thank you very much for the helpful reply. I really liked your suggestions and sound 100% valid and actually hassle-free.

My mistake for not making it clear enough from the beginning: the problem in my assignment would only be that there is no way to create an account (3 factor authentication). The black box testing agreement and planning involve unregistered user access. In other words, no way to create a user account and access protected resources.

Nevertheless, your answer will be of help to me in every other occasion!
Last edited by JollyJokker on Fri Dec 24, 2010 4:12 pm, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Sat Dec 25, 2010 7:27 am

Re: CSRF Black Box Testing

Woo, going after 3 factor authentication is indeed another ball game. I understand more your worries now.

Good luck, I hope you will find something "interesting" on this site... ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software