Tuesday, May 11, 2010

CSRF Demo Video

This is a short demo video of how CSRF attack works. I am using google's jarlsberg for this demo - Always get permission before performing any attacks.

The jarlsberg application "Add Snippet" functionality is vulnerable to CSRF. I am using simple img tags to add messages to the application - this is actually mimicking an attack where by an attacker can add messages on behalf of the victim.

I am simulating that the user while logged into the jarlsberg application is tricked into clicking a link(this particular link is a web server running on my local machine). I then demonstrate through a proxy what happens to the traffic - you will note that the initial request is to localhost but when the img tag is read it loads the vulnerable URL, the browser then automatically appends the correct cookies to the request. You can use pinata to generate the CSRF code here - though this instance uses GET method, Pinata is much more useful when generating POST and multipart POST requests.

If you are interested in Pinata you can find it here - http://code.google.com/p/pinata-csrf-tool/


Posted by at 3 comments:

Wednesday, March 31, 2010

Pinata - A CSRF POC HTML Generation tool.

After much laziness I have finally completed the CSRF tool. I have named it Pinata.

Overview:

- The tool will generate proof of concept CSRF HTML given an HTTP request. It will automatically check whether it is a GET or a POST request and with further validation for standard POST and Multipart/form POST.
- The tool will then create an HTML corresponding to the type of the request.
- The GET CSRF HTML includes IMG tag with SRC set to the URL being tested.
- The POST CSRF HTML is created with auto submit java script form with names and values from the HTTP request.


Working:

- It is Python based tool. Needs Python installed – I have developed it on Python 2.6 and recommend using that version.
- The tool consists of three files, piñata.py, markup.py and CSRFBody.txt.
- To install it create a new directory like C:\Pinata and copy all three files to it.
- Piñata.py is the main file and should be run to generate the HTML.
- Markup.py is called by piñata.py to generate HTML, I did not develop it and do not take any credit for it - however I would like to thank the developer, it made my life much easier. NOTE:It should not be alerted.
- CSRFBody.txt holds the HTTP request.
- To use the tool go to vulnerable page, create a request, capturing the HTTP request in the proxy. Copy this request and paste it in CSRFBody.txt and then saving and closing CSRFBody.txt
- Run the tool by going to command line and typing C:\Pinata\pinata.py
- It should generate the HTML file in C:\Pinata\


Future Direction

- I look forward to your suggestions.
- Perhaps some features to beat referer header based CSRF protection.
- This is essentially a hack so I will work towards cleaning up the current code.


Questions:

- Let me know if you have any questions or it suddenly stops working for you.

Code:

You can download pinata at the following URL:

http://code.google.com/p/pinata-csrf-tool/
Posted by at 1 comment:
Subscribe to: Comments (Atom)