Pentest Notes / Exploitation / Web Exploitation
CSRF
CSRF
An attack that tricks an authenticated user's browser into sending a forged request to a web app — without their knowledge. The server processes it as legitimate because the browser automatically includes session cookies with every request.
Abuses the trust relationship between the browser and the web application.
How It Works
- Victim logs into a legit site → browser stores session cookie
- Victim visits attacker's malicious page
- Malicious page silently triggers a request to the target site
- Browser auto-includes the session cookie → server treats it as legitimate
3 Conditions Required
• Victim must be authenticated to the target app
• App must perform a state-changing action (email update, role change, etc.)
• App must not verify the origin of the request
Identifying CSRF During a Pentest
| Check | What to Look For |
|---|---|
| State-changing requests | Email, role, password, settings endpoints |
| Token presence | Missing, static, or predictable tokens |
| GET for sensitive actions | Exploitable via |
| Token strength | Try decoding — base64, MD5, etc. |
| Reproduce externally | If an external HTML page can trigger the action → vulnerable |
Exploit Techniques
The following will be in a file hosted on attacker's web server.
We have to open that file in the target so the cookies in the target machine are sent automatically
1. Hidden Auto-Submit Form (no token)
Then we can add more code to redirect to home page so that victim remains unaware:
// redirect user after the request is sent
setTimeout(function() {
window.location.href = "http://staffhub.thm:8080/settings.php";
}, 1000);
2. Image
onmouseover
(weak/predictable token)
<img src="banner.png"
onmouseover="window.location='http://target.thm/update_role.php?role=staff&csrf_token=YWRtaW4='"
width="400">
Token here is just admin base64-encoded → trivially reversible,