CSRFT, A Toolkit for CSRF Vulnerabilities

um hello everybody very glad to be here so on the talk today is going to be about a toolkit I developed for Caesar fat axe everybody can hear I mean is it ok yeah perfect so really glad to be here even with the strikes made it that was hard but did it just just a quick side what is this talk about so we're very glad for you to be here just a really quick quick quick recap about Caesar fat tax because I guess everybody already knows about it so yeah just one slide about this then i will present the tool what you can do with it and all the motivations etc why I wanted to create

such such toolkit ok here we go then I'm gonna do some demos hopefully it's going to work should be ok and then I'm going to talk about some issues in some web web site i just found on the internet mitigations and the little surprise whoo so the slides are the labor here it's my personal blog at the same time I just did a tweet on Twitter so you can you know share it with your friends and you can yea maybe then instead of drinking beer that we come here and maybe drinking p.m. the same time just coming at the talks could be nice so yeah just a quick presentation before starting I guess you already noticed it i'm french

with my accent I'm steer student master in computer science I graduated I end of August passionate about security and especially web security and I may open to developer even have the get up hoodie so here is my Twitter account well if you want you can follow me and have some information let us news about my my projects and what I'm doing and here is my github you can find I don't know maybe some relevant projects I'm working on and if you want you can even contribute to it so basically the two key time developing if you if you think about good features and some things you'd like to to get in this geography free and we

can speak about it later and well we can see so let's start why csr ft wide is toolkit basically i wanted something lightweight and only they dedicated to see self attacks so basically what i wanted was something that you could share with your friends you know basic configuration file and then you could deploy it really easily and you could you know share it with your friends you can share it if you want with your clients customers and something that could demonstrate them the strength of those vulnerabilities I wanted as well yeah something cross-platform open source so all the code has been released and their license gplv3 so we have feel free to fork the code do everything you

want yeah and as I said if you want to contribute to the project you can even do some poor request and I would be really glad if you if you could contribute it and I guess the key feature is that you can nice to combine see surf attacks so the result was there was not to kick for this if we look on the internet for example exploit DB on you know when there is an advisory about see self attacks it's mostly okay you got this URL or you get this form you just send it over to the victim and it's going to change his password okay so just some kind of single attack but with

this toolkit what you can do is manage to combine to combine it you know and you don't have only this assumption that the user has to be connected to the platform because otherwise is going to fail so here with this well I will explain later but i will describe a scenario which is actually composed of different kind of steps you will do and even if the user is not you know connected to the platform you will be able to where is it's going to be just below Elliot it's going to be one of my first demo and you will be able to log the user in send some malicious payload and knock him out so basically it's going to

be like transparent attack so here is the slide I hope you get you can just see it well hope so if we take a basic scenario the user is going to send a request to a legit website or you know doing some social engineering or something you would send you will send a link it will going to click on it there will be some malicious payload on the website the payload sir will be will be sent to the victim and then it's going to send an wanted request to a renewable platform so basically if we're if you just take an exploit on exploit DB well you're going to have your crafted form you just put it in some HTML file ok on

your Apache anjing server or something and then you're gonna you know just give the links entering to the victim and hopefully is going to click on it and and browse the page so that's the basic SI sirve scenario and what about with the toolkit so basically it's quite the same and the principal the how it's working it's similar to beef so I guess ends up everybody here knows beef yeah okay so well okay there is a communication between them the victim and in the infected server okay and then there will be a communication between i'm using JSON and asha codes that you can do so it's fully JavaScript and you can you know it's just going to gather

the next exploit to execute and then insert it into the dawn of the user so basically if you if you want to fake some get requests you going to insert it in some image tag and then otherwise you can use iframe you know to send some some post request and the victim is going to send and what a request to you know a venerable platform but it can be several one depending on the scenario that you want to run okay so how is it made it's HTTP server that they develop using not yes so it was a technology I didn't know about you know but with all those buzzwords etc everything is GS and I wanted to give you a joy

and that's really nice you know I mean are there some people here familiar with not yes yeah oh ok 23 hands ok ok but it's a technology where you can manage to do some proof of concept really easy basically the the code here for this toolkit is something like maybe I don't know three and red lines ok you can it's quite generic and you can do a lot of stuff so ok it's HTTP server which has been developed not yes you can fake it get and post request HTTP request I didn't want to bother with you know put delete etc because if you want to target those it means that you already got some injection on the place so xss and then

you can do whatever you want so you can you know you can run beef you can do a lot of stuff so I wanted really something generic for you know remote X but not where Caesar fat acts in general and it creates payload on the forum so basically if you want to do a logger user in ok and there is the parameter password who is going to change because you don't know its password so let's say yes got some wit credentials and its password is in the top 20 worst password ok so if you want to do it you will have to create 25 20 different files HTML files containing the password ok which gonna change so I'd say i don't know

it's going to be password 123456 etc etc you will have 25 and here with this toolkit you just create the payloads sort of forms you create it on the fly so directly from the URL you can manage to create it so you just have a template okay so you just say ok this is going to be metal plate in my login form and then from the URL is going to get the parameters etc and build the form automatically so basically here you will just have one template and if you want to run the attack to log the user in you will just you know call the code is your way with the specific password that you

want so you will not have a lot of HTML files that you will be lost in etc etc as I said there is the communication part with which is in gs on everything is in JavaScript here sir I think for me it was the most convenient and it resets the need and just a quick quick info this weekend I looked on the internet to find you know some real statistics about people discipline JavaScript and do you know something about the percentage okay in the US in the u.s. it's only two percent okay and if we look at the Europe UK it's a drum it's around one and two okay so i can understand that some people you

know we will speak about the mitigation etc what you can do and you can say me okay but if i don't have javascript enabled so you cannot do anything with this took it that's true but i mean if you just look at if you want to target some people in a company etc you can manage to do it you know because most of the people we just keep javascript enable you can you can do a lot of stuff there are even so more features as i said you can manage to combine CSF flows and that's i would say the key feature of this tool i will just run after this during the demos what we can do this and

we have to attack modes so if we look on exploit DB and all the sex but we have about CSF attacks we've got a special value you know you get a specific custom crafted form and here it is the same you know if you want to craft your own custom form or even targeted a URL you can do it by just choosing is dis dis method and otherwise um there is a dictionary attack so yeah just a quick example if you want to try to log the user in you will just specify the attack the template form that you want to use or the target URL and then you will specify the dictionary file that you

will want to use and then it's going to actually for each entry in the file its going to send the payload to the victim and the victim we'll just you know inserting into the dome and will execute it is it all clear yeah after after the the conference I mean after this talk I think we will have something like I don't know maybe five or ten minutes so if you have some questions just feel free to just keep them and if you're too shy to just ask me where we can maybe take a beer after and we can speak about it or otherwise you can you can ask it directly feel free moreover there are

some additional tools are there some people who know him Alonso Emma Alonso yeah okay is a very Spanish and the orphans goes to to Def Con and where I created some tools a JavaScript proxy which tempers the request and inserts a malicious I friend well it was inspired by the by this researcher because it did this presentation a dozen I mean do you know this presentation may be okay long story short what you wanted to worry Spanish it doesn't have a lot of money and he was doing a lot of joke about this and it was lazy and you wanted to create a botnet okay but he didn't have the money for this and ok and I think he

had in mind was you know to create a squid proxy and then register it on the internet and after a few days it got something like and at the same time he was tampering the request and injecting some JavaScript ok and the thing is after a few days it got something like more than 5,000 people ok but all these squid proxy etc I didn't want to try it so i just created the energy a script still no GS and it's a JavaScript proxy that you can launch on your on your machine you just specify the DI frame the D target I frame that you want to to insert it into the pages it's going to

do the work for you so you can give it a try it on my github account as well so you should give it a try and as well there is another pie turn to I developed which is a common line tool that automates the usage of my two kids so basically if you find a c7 RBT on a forum then you just you can just use this tool and it will grab the phone will create a configuration file which are in gs on and we launched a toolkit so just 11 command line and you can manage to target the people you know you will not have to just take you html5 just insert it into your apache server etc

everything is done here ok it's a type and problem let's say ok are you ready for the demos yeah the the first demo is going to be a really custom one or i can show you there i would say key feature of these two so you can manage to combine the attacks so let's take I just developed from scratch a web application that will be available as well on the internet and there are some flaws csrf loss obviously and then what we're going to try to do is try to attend early to log the user in ok send some malicious payload after is locked in and then lock the user out ok so completely transparent attack if you man I can't

even show you the I'm going to show you yeah the stuff

I don't know if you can see clearly but so we got the name this is a configuration file that you will just load with the toolkit okay you just don't launch it so you get the name if you want to add another custom name and then we got three steps here so three different attacks that will be load separately so the first one then the second one and then the last one the first one is a type of attack dictionary is going to use the file past that txt with the form i can show you after what it is but actually it's just the template of the login form and then yeah just a comment so that's what we're

going to try this is the login face then the special value here that because we want to change a user's password that we can do and then the last step is we want to log him out so yeah I just I just have some internal vm future machine which are running on my computer and and and we know we're going to try it yeah you can show you the template as well

what okay we cannot see a lot of stuff but it's just you know basic HTML and this is just the form nothing else okay i'm going to show you the venerable platform my developed

so here is the venerable platform I developed for the occasion we're going to create a an account besides okay with the same password okay anyway we can even login it's just a you know basic basic web application week you know you can send you know reach the users of some information you know send messages etc etc obviously you can you can change your password it's not protected protected against Caesar flows okay so i'm just going to log out well this application you know i just renamed it intranet so the thing is with this tool you can manage to target obviously all the internal web applications that you have so it could be for example a router

interface because most of them absolutely not concerned about brute forcing logins etc and obviously they do not have token forms into you know if you want to change the settings change the dns settings passwords etc so well just to show you you know we got the internet here so the internal application to the user and the the attacker will be able to send some papers anyway even if the person is not logged in so if the application you know if the attacker has got an access to d to this application at home so let's say it just bought the same router it cannot manage to craft those requests and just you know put this configuration fight

with remote server and then launched it in do everything you want so okay let's let's just start the toolkit

okay so we launched it on port 80 okay can't see anything it's just on a virtual machine that I'm running here yeah spider-man ok so its launch on port 8080 and for example if you just give the link to the malicious United to the victim sorry okay you got a page like this so you know on page and let's back to the console and we can see that you know the first the first exploit / exploit that we're doing is just to grab all the information to load all the exploits and then as we can see we're doing the first phase which is the login face so you know we are trying several passwords so qwerty monkey dragon 1 2 3

1 2 3 etc and besides as well and then the second phase here is that we're sending some payloads which is special value so this is undefined this parameter okay because the form is already crafted and then the last step is that we want to log out the user so if we just go back to the to the platform okay we're not logged in we can try to log in

and we got a message here and we couldn't manage to log in with us I besides obviously because the password was changed just going to find a new password because i don't remember clearly

okay the password was wood wood

and we logged in with their with the password would would ya so we managed to do a completely transparent attack for the for the victim and we managed to send all the requests within his you know without him accepting it we couldn't manage to do it so the first demo was working whoo ok and the second demo I'm gonna do is the automated attack with my Python utility just to show you you know if you manage to find a reliable platform what you can do to you know to create some proof of concept really easily so just one command line and you will be able to do it and it's going to send a real crafted request to

change the admin password so if we take the you know the work through what you would have to do otherwise is you know go and change the password get the HTML source code and then insert it into some HTML file etc crafted as you want and then push it to your remote server and the world all this processing but I did it for you ok let's try the next demo I just need the cookie

ok so yeah we got to utilities so csrf tu to use is the one we're going to use and fun dumper is taking some reason input and then is creating a you know a form that you can then use for example if you if you found some CSRF on the rest api you just saying

okay I I don't know if you can see clearly but you're just cutting the utilities okay saying that the form is located here to decide to this IP address using your authentication cookie then you know you can manage to access the page ok and then okay the other parameters so you just saying that the parameter which is renewable is why the password you're going to use a special value attack and the password is going to be wit would but we're going to change it which I change this back to besides okay and with this tool I added some selectors so if you found some specific selectors for a specific form let's say I don't know he has got the

class change password you know you can specify it and otherwise it going to iterate on all the form that you can have in the web page and it's going to ask you the one you want to target okay so you just launched it as it said no selectors define they just taking the first one if there is only one and otherwise it's going to iterate and ask you for the one that you want and then you know giving you some information using the TMP / TMP csr ft GMP conf we can give it a try if you want

you

I don't know if you can if you can see but ok I just went in /t MP yeah this is the the configuration file that you're going to launch with the with a tool kit so basically just taking a form with the method post and the type of fatigue is special value okay that's the only thing it's doing so we can just check the form as well and okay so as you can see you know you just did a cat we get requests to the HTTP server got the got older the content the well the inner HTML and just dump the specific part that you want it you know by replacing all the information and as you can see here we

got the password with the new value which is besides let's go okay so as you can see i'm logged in here I just reload the page and here as you can see it's in your initialization the session again it's ending one request payload and define because still it's a special specific value attack that we're doing and then normal payloads okay I just locked out login again besides besides oops the more effect oh okay it should have worked okay sorry for this okay i guess i missed one step if you can change the admin password yes i changed it but with the value b side yeah yeah but yeah yeah okay something went wrong can I try to

debug it okay sorry for this it should have worked the more effect etcetera etcetera sorry but okay it just to show you you know the strength of the tube I mean just win with one common line you can manage to you know just set up HTTP server with some malicious payload than just sending it to the to the victim etc it's okay I don't know why yeah sorry so now let's let's take a look at the bad design in some web application so obviously there was no token in login form and you can manage to automate this process and a lot of web application don't have any token in login form so this means that okay the rest of the

application can be targeted and you know if there is a I would say I don't know zero day on you know some some HTML forms etc you will be able to reach it and if you has got some wii credentials you will be able to you know target some some people so that's the first case and the second one is you know i'm sure a lot of people are already had those kind of form when it's asking for your old password and for the new one so here the same you don't have any token and if you has got some weak credentials you can manage to you know the user will be able to breed force his own password

then you will see in the console okay but this year's re you know maybe doesn't remember it's all password but you want you really wants to change it so this is yeah some other bad design that you can you know find on the internet and saw the mitigations that you can do here so basically we have this request token so the value which is random generated on server side and then processed checked etc on the server and it's one of the most use you know mechanism nowadays otherwise we have this Rio tenth occasion like you know the previous example when it's asking for your password if you want to change your settings if you have got a week one

good for you you can manage to you know change these settings do everything and otherwise you get other metals capture timeout and I don't know if you heard about it you know there was a blog post on metasploit a blog about a noscript I don't know if you heard about it but okay and if you just use noscript with the default configuration you still you know can manage to send some see you know take advantage of Caesar flows you will just need you know some custom interaction just an interaction like a click clicking direction and it would my two cents on payload I didn't have the time to to insert it as a new feature in

the tool but it's working progress so if you want to be you know completely protected and just use no script with a be so but basically a B is just set of rules that you can set to ensure even more you know security etc about HTTP request that you're that you're doing and I'm sure you waited for the surprise maybe not I don't know so I created a venerable machine with the web application that we saw earlier okay I promise there will be no bug I hope so it will be all set on filling up I guess a lot of people here know about this platform okay it will be ousted here so let's see how it goes and

obviously you must exploit seesaw flows to get root access there are some tricky other in your abilities to be able to do this but spoiler one of the first one is a CSF flow okay so good luck I don't know if you're going to try it but it's good it should be yeah on the website I know maybe end of the week or something because just going back to friends it's that you have have a lot of stuff to do and fight again those strikes this is going to be hard let's see okay do you have do you have any any questions well when you're using Caesar photogs it's completely blind so it means that you're

going to send a request but unfortunately or fortunately but depending on the side you are it's going to be completely blind so you will not be able to you know get the output well get the result i mean the result page so you're just doing it by blind and yeah the assumption here then is that the user use some weak credentials etc and you know I finished really early but ok thanks a lot hope you liked it