Saturday, 12 November 2016

HOW TO USE CSRF VULNEREBILITY IN WEBSITE (OWASP TOP 10)


CSRF vulnerability
CSRF vulnerability -Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Exploit of this vulnerability-
Let’s do….
Requirement tools:-
1.   Any OS
2.   Xampp server
3.   Web vulnerability web application (DVWA)

Now, follow the steps given below-
1.   Open login page of DVWA website
Admin=admin, password=pentest (I already changed the password)
2.   Set the DVWA security level- Low
3.   Go to CSRF option
4.   Now I am changing the password
Password= hacksac12
Logout
And then login again with the new password
Go to CSRF and view the page source.
Now I want to change the password using this vulnerability.
Let’s do…
Now copy the source code and paste in a notepad

Login with wrong ID or Password
Then copy the first half URL as shown in picture
Paste it after (form action-)
Pentest-new password
Paste your new password after the (new) [“value-pentest”].
Then we copy the new password [“value-pentest”]paste right after the (conf) in the next line,just like we show in the picture.

Then Save as .html format.
Open the file you save which is in html format .
Now when you open the html file a new tab open click Change.
Password has been changed
Let’s check the new password
Its working ….
So this is the vulnerability is allow to hacker login.


So this is the vulnerability is allow to hacker login.
Login password would be changed of any website.
Thanks for reading this article.    
Author: Sumreet Sharma is An Certified Ethical hacker, Penetration tester, junior security analyst network engineer technical writer and pursuing in Microsoft software engineer, India.
Contact here: https://goo.gl/unp1AA
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)