pierre Posted October 5, 2016 Posted October 5, 2016 Hello, I understand how CSRF works. If such a vulnerability is present on a profile.php page, a user could be trick into having his password changed by clicking on a milicious link. But what about the impact on a login.php page with a CSRF vulnerability ? Because there is no action possible on the page apart from fill the credentials.. Thanks Quote
pentestgeek Posted October 5, 2016 Posted October 5, 2016 In this instance the attack vector would not be on the specific /login.php page but instead on the user trying to access it. An attacker could potentially forge a request from the victim trying to login and instead have their request diverted to a page that they control thereby harvesting that users credentials. More info on the subject: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests Quote
digip Posted October 6, 2016 Posted October 6, 2016 If the admin clicks a malicious link and it redirected the admin to the sites login, where they are already logged in, it can then have the potential to pass commands to the logged in system as the admin user, such as say a wordpress dashboard settings pages or a bulletin board admin panel(think posting directly to /wp-admin/ directly which would normally redirect you to wp-login.php form, but if logged in already, will execute against the dashboard wherever you post the info such as /wp-admin/admin-ajax.php), etc. Credential harvesting as mentioned above is always a possibility depending on how you target the victim, but unless you're spoofing the login page and they fall for it, you're not going to get those sent in the clear without some social engineering, but you may have the potential to force the users session info to post back to you for reusing logged in cookies and session data if the link is also vulnerable to RFI, appending the cookie data directly to the URL that calls your sites harvesting link. Quote
pierre Posted October 24, 2016 Author Posted October 24, 2016 On 05/10/2016 at 4:28 PM, pentestgeek said: In this instance the attack vector would not be on the specific /login.php page but instead on the user trying to access it. An attacker could potentially forge a request from the victim trying to login and instead have their request diverted to a page that they control thereby harvesting that users credentials. More info on the subject: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests " An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account. This attack has been demonstrated against Google[9] and Yahoo.[10] " So the main point here is that the victim use the hacker website account ? On 06/10/2016 at 11:11 PM, digip said: If the admin clicks a malicious link and it redirected the admin to the sites login, where they are already logged in, it can then have the potential to pass commands to the logged in system as the admin user, such as say a wordpress dashboard settings pages or a bulletin board admin panel(think posting directly to /wp-admin/ directly which would normally redirect you to wp-login.php form, but if logged in already, will execute against the dashboard wherever you post the info such as /wp-admin/admin-ajax.php), etc. -The malicious link which contain login.php is sent -Then the victim is redirected toward /wp-admin because she is already logged in -Finally an harmfull action is done on /wp-admin page ? Quote
digip Posted October 26, 2016 Posted October 26, 2016 On 10/24/2016 at 8:48 AM, pierre said: " An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account. This attack has been demonstrated against Google[9] and Yahoo.[10] " So the main point here is that the victim use the hacker website account ? -The malicious link which contain login.php is sent -Then the victim is redirected toward /wp-admin because she is already logged in -Finally an harmfull action is done on /wp-admin page ? I used wordpress as an example. Wordpress in general usually isn't vulnerable to CSRF due to the use of nonces, but say a plug-in doesn't implement a nonce in one of their functions, this could potentially allow someone to build a malicious link that could allow actions to be taken against the wordpress site, depending on what the plug-in is setup to do. For example, if the plug-in is an upload plug-in, it may potentially allow uploading of a reverse shell by sending an admin level, logged in user a link to click. Here are some examples of how that might play out : https://css-tricks.com/wordpress-front-end-security-csrf-and-nonces/ http://ottopress.com/2014/better-know-a-vulnerability-cross-site-request-forgery-csrf/ Quote
pierre Posted October 26, 2016 Author Posted October 26, 2016 5 hours ago, digip said: I used wordpress as an example. Wordpress in general usually isn't vulnerable to CSRF due to the use of nonces, but say a plug-in doesn't implement a nonce in one of their functions, this could potentially allow someone to build a malicious link that could allow actions to be taken against the wordpress site, depending on what the plug-in is setup to do. For example, if the plug-in is an upload plug-in, it may potentially allow uploading of a reverse shell by sending an admin level, logged in user a link to click. Here are some examples of how that might play out : https://css-tricks.com/wordpress-front-end-security-csrf-and-nonces/ http://ottopress.com/2014/better-know-a-vulnerability-cross-site-request-forgery-csrf/ For example, the site is like that: @IP/login.php -> nonce protection @IP/wp-admin/admin-ajax.php -> no nonce protection The attacker send this malicious link: http://@IP/wp-admin/admin-ajax.php?password_new=weak&password_conf=weak&Change=Change The admin cliks the link. So even if login.php has nonce-protection, it makes no change because the HTTP request doesn't route throught @IP/login.php but instead goes directly toward @IP/wp-admin/admin-ajax.php, so the request isn't blocked by webserver nonce-protection ? Quote
digip Posted October 28, 2016 Posted October 28, 2016 (edited) Depends on the plugin. Lots of wordpress attacks are bused against admin-ajax because of flaws directly in the plugin itself when called via admin-ajax, so a maliciously crafted link that allows get requests against the site via the plugin has the potential to do many things. Some of them don't even require authentication. can't remember the name of it off the top of my head, but on older specific versions of wordpress and the one plugin, posting even while logged out, any user could inject data into the pages and insert code that auto-created entries in the blog posts. This isn't so much CSRF, but ones that do require authentication could be placed in a link that admin clicks without paying attention to the URL and would execute as admin to make the changes or whatever the payload is capable of. Some, might be theme based, where the theme adds functions to the admin panel for updating the theme, and might for example allow adding new users or changing passwords. Bwall and I had found a similar flaw in a theme a few years back that did just that for an authenticated user to abuse the admin panel settings, so CSRF might have been a possibility here as well, but not sure we tested that since this was more theme vuln related with admin control over the settings. I think his POC he used was to change the default email of the admin for wordpress, so that you could reset the password and have it send you the link without the admin knowing and then login as admin to take control of the site. search exploit-db.com for CSRF and Wordpress, sure you'll find lots of examples to play with, and if you want, you can setup a VM with older versions of wordpress by downloading them off wordpress.org's SVN forks. Edited October 28, 2016 by digip Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.