Show Menu
Cheatography
  1. Home >
  2. Cheat Sheets >

CSRF and Logic Flaws Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Summary

Similar to XSS because the victim is submitting an attacker crafted request.
Difference is CSRF uses static content.
The victim must be logged into the vulnerable applic­ation.
The victim's authorized browser sends the transa­ction.
The same-o­rigin policy matches the original login and subsequent cookies, the same protocol, name and port.
The vulnerable app doesn't know the link originated from another source.
OWASP suggests (CSRF) synchr­onizer tokens which prevent CSRF by requiring a secure random token for any state change operation.
Token charac­ter­istics:
Unique per user session
Larger random value
Generated by a crypto­gra­phi­cally secure random number generator

CSRF Example

1. Attacker researches target applic­ation to find CSRF flaw, often through a transa­ction that uses weak anti-CSRF protection (such as checking the referer) or does not require a dynamic element.
2. Attacker sends crafted link to the victim.
3. Victim logs into the vulnerable app and then in another tab opens crafted link.
4. The malicious link enables the attacker to attack the vulnerable app; transf­erring funds, changing passwords, or other actions.

ZAP Anti-CSRF Test Form

CSRF testing functi­onality via "­Gen­erate Anti-CSRF Test Form"
Automate POC code creation to discover CSRF flaws via POST
Implementation:
Find possibly vulnerable POST
Right-­click POST in ZAP and select "­Gen­erate Anti-CSRF Test FORM
Submit
If the form submits succes­sfully the app is vulner­able.
To send a ZAP CSRF Test Form without a referer, save as an HTML file and there will be no referer set.
Note: When using ZAP Anti-CSRF Test Form should be authen­ticated in vulnerable app.
  

Logic Attacks

Business logic is found within client­-code, which the execution of is controlled by the client. The purpose is to call functi­onality on server.
Attacker manually calls functions in a different order, since many automated tools lack this functi­ona­lity.
Example Normal Logic:
1. Add item to cart
2. Total cost
3. Authorize card
4. Check out
Example of Attacker Logic:
1. Total Cart
2. Authorize credit card
3. Add items
4. Check out
Because the app stores the state of each step the attacker is able to call steps out of order circum­venting paying.
Discov­ering Logic Flaws is a manual process because most tools only test functi­ona­lity.
Applic­ation mapping is crucial to discovery.
Because logic is integral to archit­ecture it is harder to fix.