CSRF (cross site request forgeries )

Apr 20, 2012 | comments

               CSRF  (cross site request forgeries ) ATTACK

website hacking with CSRF
CSRF is an almost opposite type of attack. Rather than exploiting the trust that a user has for a particular site, CSRF exploits the trust that a site has for a particular user. In the case of XSS, the user is the victim. In the case of CSRF, the user is an accomplice.
Because CSRF involves a forged HTTP request, it is important to first understand a little bit about HTTP, the protocol that web clients and servers use to communicate. Web clients (browsers) send HTTP requests to web servers, and the servers return HTTP responses in reply. A request and its corresponding response make up an HTTP transaction.

The word CSRF itself means that the attack is done using a cross-site request; it’s “forged” because it’s invisible to the user. A cross-site request is one where a page loaded from one website makes a request to another site for resources that are part of the page (like images, for example). While it’s easy for a malicious site to have such HTML code in its pages, such cross-site requests can also be caused by viewing bulletin boards, forums, or social networking sites (for example) where users are allowed to post images with foreign URL sources — that is, the images are hosted on other sites. CSRF attacks are effective in situations which meet the following criteria:
  • The victim has an active session on the target site.
  • The victim is authenticated by implicit authentication mechanisms (like cookies or HTTP authentication) on the target site.

                

                   The differences between XSS and CSRF

Though CSRF seems similar to Cross-Site Scripting (XSS) at first, both are completely different attack vectors. Where XSS aims at inserting active code in an HTML document to either abuse client-side active scripting holes, or to send privileged information (e.g., authentication/session cookies) to an unknown evil website, CSRF aims to perform unwanted actions on a website where the victim has some prior relationship and authority.
Moreover, where XSS sought to steal your online trading cookies so an attacker could manipulate a victim’s account, CSRF seeks to use the victims’ cookies to force them to execute a trade without their knowledge or consent. While XSS attacks exploits the trust that a user has on the website, CSRF attacks exploit the trust that the website has in its user.

 

Types of CSRF attacks

CSRF attacks can be divided into two major categories — reflected and stored/local.

 

Reflected CSRF attacks

In a reflected CSRF attack, the attacker uses a system outside the application to expose the victim to the exploit link or content. This can be done using a blog, an email message, an instant message, a message-board posting, or even a flyer posted in a public place with a URL that a victim types in.
Reflected CSRF attacks will frequently fail, as users may not be currently logged into the target system when the exploits are tried. The trail from a reflected CSRF attack, however, may be under the attacker’s control, and could be deleted once the exploit is completed. The three attack scenarios we looked at earlier are examples of reflected CSRF attacks.

 

Local/stored CSRF attacks

A stored/local CSRF attack is one where the attacker can use the application itself to provide the victim the exploit link, or other content which directs the victim’s browser to perform attacker-controlled actions in the application. Stored CSRF vulnerabilities are more likely to succeed, since the user who receives the exploit content is almost certainly currently authenticated to perform actions.
Stored CSRF attacks also have a more obvious trail, which may lead back to the attacker, since the origin of the malicious HTTP request is hosted in the attacked website. Examples include bulletin boards and social sites where users are allowed to post images with foreign URL sources. These are harder to find and destroy.

 

Advanced uses of CSRF

The following advanced techniques that use CSRF attacks have been observed in recent years.

 

Bypassing CSRF protections with click-jacking

This recently-evolved technique can be used to bypass CSRF protection and submit POST method-based forms with attacker controlled data, using click-jacking. (See the highlight box on click-jacking for more information.) The best example of this attack is exploiting email update services. Such services are quite common in Web applications. In this, the attacker manages to force victims to update their e-mail IDs with that of the attacker, so that the attacker can then compromise the victims’ account by performing a password reset.
This attack can occur even if the Web application contains tokens for CSRF protection.
Click-jacking is an attack involving embedded objects on a maliciously crafted Web page. Using framed content, or that from Flash, Silverlight, or Java, the attacker places a transparent or invisible click button beneath the mouse, so that whenever the user clicks on something they see on the page, the user is also clicking to an unseen website that may contain malicious code. The attack can also take advantage of dynamic HTML and CSS (Cascading Style Sheets) code for further disguise.
The difference between CSRF and click-jacking is that in CSRF, the victim’s browser performs the attack (loading the state-changing URL directly) without the victim clicking to launch it, while in click-jacking, the user actually interacts with something, but the action is “hijacked” by placing a layer between the user and the page element that launches a legitimate action.

 

Safeguarding Against CSRF

Safeguarding your applications against CSRF is a bit more challenging than safeguarding them against XSS attacks, but there are a few guidelines that you can follow.
 
Use POST
Although it doesn't prevent CSRF, you should require POST for any request that performs an action. This also means using $_POST instead of $_REQUEST.
 
Require Verification
Although convenience is a hallmark of good design, if a single request can trigger an important action, the risk of CSRF is increased. For important actions, don't hesitate to ask the user for verification. For extremely sensitive actions, consider requiring the user to provide a password in order to authorize the action.
 
Use an Anti-CSRF Token
The root cause of CSRF is a failure to verify intent. In order to help verify intent, consider adding an anti-CSRF token to your forms. Consider Listing 2 as a substitute for the form used to post to forum.example.org. When a user requests this form, a new token is generated, saved in the user's session, and included in the form as a hidden form variable. Therefore, when a request is received by post.php, not only can $_POST['token'] be compared with $_SESSION['token'], but a timeout can also be applied to further minimize the risk. This tactic practically eliminates CSRF.

Gmail Hacking Via MITM Based Attack

Apr 19, 2012 | comments (1)

Hacking email account is probably something which intrigues all of us. Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technology.Here we will discuss about an advanced way which can be used to perform an advanced automated phishing attack.

Setup:


Here our main intention is to abuse the same password reset functionality of various email service providers in a smarter and automated manner.We will use selenium and its Python WebDriver api to automate this entire process.Selenium is a software testing framework for web applications. Selenium can automate browser locally or remotely. http://seleniumhq.org/.) We will write a custom selenium web server in python and a dynamic fake survey form in PHP. The fake survey form will communicate with selenium web server using its custom APIs in back end(using PHP curl or something similar thing).

Execution:


Step 1: Start the custom Selenium Server
 

First we will start our custom selenium web server and host the fake survey form to any hosting service provider supporting PHP and PHP Curl. And we will send the link of that fake survey from to victim.
After the server is started this custom selenium web server will be always monitoring the victim’s activity. When victim visits the fake survey form its will inform the selenium web server through PHP curl that victim has opened the page.

Step 2: Send the custom form to the target
 

Create a fake registration form of anything you like form which will ask the user for the email id. You can create a new interesting free coupon for restaurants, free download etc. When the victim user will enter his/her email id our the custom web server will try to recover the password of that entered email id received from fake survey from using selenium webdriver api automatically. As selenium is quite fast it will take maximum 5 to 6 seconds.

Step 3: Automatically initiate the recovery password reset process

Almost all well known web mail providers (e.g. Google Yahoo etc.)uses some anti automation techniques (Captcha)in these type of critical steps. And those captchas are not very easy to crack by human being also so trying to crack those with available OCR engines will be waste of time.So human effort is must to break those captcha. How? We have a trick for that also.

Step 4: Send back the captcha/secret question/any challenge to the user to break

After detecting an anti automation on page, our selenium web server will extract the captcha from password recovery form and ask the victim to solve the same captcha.When the victim will solve the captcha it will take that answer and submit the actual captcha form.BINGO!
When captcha is cracked it will face the first security question(if its available), then it will extract the first security question from actual password recovery form and add the question in the survey from with other fake questions to make the survey form bit more realistic.

Step 5: Send the user response to Gmail and reset the password

When the victim will answer that question it will instantly take that answer and submit it in actual password recovery from.We expect that the victim will answer the security questions correctly.
After that when it will face the second security question and it will treat this in the same manner. When its done upto this level it will change the account password to our desired one automatically.

Abusing SMS/Email Based Password Recovery system using the same technique:


SMS/Email Based Password Recovery system can also be abused using the same technique. If we consider gmail then it will be like when out custom selenium web server will detect that there is not option from Security question in password recovery from of target email account it will go for SMS based password recovery option. Generally google’s web application discloses the the last two digits of given phone number and it will send the SMS to that phone. Our custom selenium web server will also do the same. It will directly extract the last two digit from recovery form and send it to victim. The phishing from is designed is such a way that it will say something like this

“Hey you have to go through a verification process to download this software package. Please enter your mobile no.We will send a verification code through Google to that number”.
Luckily Google sends the password recover code through SMS very poorly. It will just send a sms like

“Your Google Verification Code is :123456”.

Within a second after entering the mobile number our selenium web server will submit the mobile number and the victim will receive the password reset code from Google. As currently no indication is present in that SMS sent by Google that its a very critical code not like other verification code, so its very obvious for a general Internet user to trust the application and share the password reset code.

In the next step it will ask for the received code and after getting the code our selenium server will do the rest part which is changing the password.

Make Your Own Online Ransomware Unlocker Service

Apr 3, 2012 | comments

Free  Ransomware Unlocker Service
Here a simple php code for INDIATRIKS readers to make your own online unlocker service against ransomwares ,Inspired from Kaspersky Deblocker :

config.php:

<?php
    // Xyl2k! :þ
    // Admin ids
    $LOGIN = "root";  //login
    $PASSWD = "toor";   //password
    // MySQL ids
    $MySQL['HOST'] = 'localhost';
    $MySQL['USER'] = 'root';
    $MySQL['PASS'] = '';
    $MySQL['DB']   = 'ransom';
   
    $db_connection = mysql_connect($MySQL['HOST'], $MySQL['USER'], $MySQL['PASS']);
    if (!$db_connection)
            die('Error - Could Not Connect to the Server.');
    $db_selected = mysql_select_db($MySQL['DB'], $db_connection);
    if (!$db_selected)
            die('Error - Could Not Connect to the Database.');

 ransom.php:

<?php
    require('config.php');
?>

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
            <title>Ransom Unlocker</title>
        <link rel="stylesheet" media="screen" type="text/css" title="Design" href="style.css" />
    </head>
    <body>
        <center>
            <font size="6"><b>&#9763; Unlocker &#9763;</b></font>
        </center>
        <form id="form1" name="form1" method="GET" action="<?php echo basename($_SERVER['PHP_SELF']);?>">
        <label for="call">Code to call: </label>
        <input type="text" name="call" id="call" />
        <input style="text-shadow: none;" value="Search" type="submit" />
        <?php
        if (isset($_GET['call'])) // TRUE
        {
            $call = mysql_real_escape_string($_GET['call']);
            $req = mysql_query('SELECT serial FROM winlock WHERE codetocall=\''.$call.'\'');
            if (!mysql_num_rows($req))
                echo '<p> Unlock code not found</p>';
            else
                while ($datas = mysql_fetch_array($req))
                    echo '<p> Unlock code: <b>'.htmlspecialchars($datas['serial']).'</b></p>';
        }
        ?>
        </form>
    </body>
</html>

ransomadmin.php:

<?php
    session_start();
    require('config.php');
?>

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
            <title>Admin - Ransom Unlocker</title>
        <link rel="stylesheet" media="screen" type="text/css" title="Design" href="style.css" />
    </head>
    <body>
        <center>
        <font size="6"><b>&#9763; Unlocker Admin &#9763;</b></font>
        </center>
        <?php
        if (isset($_POST['login']) && isset($_POST['password']))
            if ($_POST['login'] == $LOGIN && $_POST['password'] == $PASSWD)
                $_SESSION['access'] = true;
                if (isset($_SESSION['access']) && $_SESSION['access'] == true)
                {
                    ?>
                    <form id="form1" name="form1" method="POST" action="ransomadmin.php">
                    <table border="0">
                      <tr>
                        <td align="right"><label for="call">Code to call:</label></td>
                        <td><input name="call" type="text" id="call" size="48" maxlength="255" /></td>
                        </tr>
                      <tr>
                        <td align="right"><label for="serial">Unlock code:</label></td>
                        <td><textarea name="serial" id="serial" cols="45" rows="5"></textarea></td>
                        </tr>
                      <tr>
                        <td>&nbsp;</td>
                        <td><input style="text-shadow: none;" value="Add" type="submit" /></td>
                        </tr>
                    </table>
                    </form>
                    <?php
                    if (isset($_POST['call']) && isset($_POST['serial']))
                    {
                        $call = mysql_real_escape_string($_POST['call']);
                        $serial = mysql_real_escape_string($_POST['serial']);
                       
                        $req = mysql_query("INSERT INTO winlock VALUES('".$call."','".$serial."')") or die(mysql_error());
                       
                        echo "<p>Le code ".htmlspecialchars($_POST['call'])." à été inséré !</p>";
                    }
                }
        else
        {
        ?>
            <form name="tapz" action="<?php echo basename($_SERVER['PHP_SELF']);?>" method="POST">
                <table border="0">
                    <tr>
                        <td align="right">Login :</td>
                        <td><input name="login" type="text" size="30" maxlength="30" /></td>
                    </tr>
                    <tr>
                        <td align="right">Password :</td>
                        <td><input name="password" type="password" size="30" maxlength="30" /></td>
                    </tr>
                    <tr>
                        <td>&nbsp;</td>
                        <td><input type="submit" value="-= Connect =-" /></td>
                    </tr>
                </table>
            </form>
    </body>
</html>
<?php
} ?>


sql database:

-- phpMyAdmin SQL Dump
-- version 3.3.9
-- http://www.phpmyadmin.net
--
-- Serveur: localhost
-- Généré le : Dim 10 Avril 2011 à 19:00
-- Version du serveur: 5.1.36
-- Version de PHP: 5.3.0

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Base de données: `ransom`
--

-- --------------------------------------------------------

--
-- Structure de la table `winlock`
--

CREATE TABLE IF NOT EXISTS `winlock` (
  `codetocall` varchar(255) NOT NULL,
  `serial` text NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Contenu de la table `winlock`
--

INSERT INTO `winlock` (`codetocall`, `serial`) VALUES
('123456', 'XXX-XXX-XXX-XXX');
 
Support : INDIATRIKS
Copyright © 2011. INDIATRIKS - All Rights Reserved
Template Edited By Indiatriks
Proudly Powered By Blogger