17:49 ---

What is CSRF?
CSRF (Cross-Site Request Forgery) is a
vulnerability found in web applications which
allow a remote attacker to create a special
web page or email which, when viewed by an
authenticated viewer on a remote site, will
execute a particular script. The script executed
could range from creating usernames with
administrative access, changing the admins
(or any other user's) password, creating
content on the site, deleting content on the
site, and any other action that a user with an
authenticated session might be able to do.

How do I find CSRF Vulnerabilities?
This is an interactive tutorial on finding CSRF
Vulnerabilities using a demo CMS from



At the time of this writing the vulnerability
exists on Dubsite CMS 1.0 but the vendor has
been alerted to this and thus I cannot verify
that at the time this is written the vulnerability
will exist. The tools I use to find CSRF
vulnerabilties are Firefox Web Browser, the
Tamper Data Firefox Plug-in, and Notepad++
(or any other text-editor).
Step 1: visit


and login with the following credentials:

Username: admin
Password: demo000

Step 2: Navigate to the user control panel of
the admin page located at



Step 3: We are now going to attempt to
modify the administrator's password. Click on
edit and fill in the data you want. Before you
click submit, start tamper data to sniff the
Now make a note of the parameters passed to
the website.
The stuff we interested in are the URL up top
and all the POST parameters in the right
window. Open up your favorite text-editor and
copy down all these values.

Step 4: Here comes the fun part, we are going
to create our evil URL. We have to combine
our base url with our post parameters.
Our base URL is the URL we copied from
tamper data. In this case our base URL is :


When we append POST parameters to a base
URL we start with adding a ? to the base URL
and then combine parameters by linking them
with a &. An example is
A more specific example is for our Dubsite
CMS base URL:


As you can see we send the data back to the
server the same way our browser sent it. This
example URL will edit the administrator
account's password and change it to test123.

Step 5: Now we have a few methods of getting
the authenticated administrator to execute
this command. First of all we could make a
website and set it like this:
<html><head></head><body><img src =
id=1&active=1&update=Update" /></body></
When the web browser views the page it will
send the link to the admin's site trying to get
the information for the image which will in
turn execute the change password feature.
Another way to get the admin to execute the
command is to email the admin with the
<img> tag trick in the body of the email.
Opening the email will cause the server to try
to grab the image and will execute the change
password function.


CSRF vulnerabilities could cause a lot of harm
to a system admin because the form does not
have some sort of validation token in place to
make sure the administrator is actually
issuing the command. A technique that will
stop many attackers is to add HTTP_REFERER
checking to the page with the form. Coming
from an email or other website, the request for
the form will be either blanked out or wrong
and thus tip off the admin to what is going
on. Combined with session tokens for making
sure each visit to the form is unique, this will
stop attackers from attacking your site via
CSRF techniques.
The create user function is also vulnerable to
CSRF attacks. For more practice try to exploit
it and create your own administrator user.
credits to connection