Automatically detecting CSRF with Python

Here, we will look at an approach that we will use to automatically detect CSRF in web applications using Python, Beautifulsoup, Selenium, and Phantomjs. Before automating the detection, however, let's discuss the approach that we shall take. We know that CSRF attacks can be mitigated by implementing anti-CSRF tokens.

Any form that would be served from the server, which will potentially modify the state at the server, should have a hidden field that contains a random cryptic value called a CSRF token. The principle behind most CSRF tokens is that this form and a cookie must also be set with a cryptic value that translates to the same value of the token served in the hidden field. When the form is posted back to the server, the secret value of the cookie is extracted and compared with the hidden value posted back to the server within the hidden field. If both secrets match, the request is assumed to be genuine and is processed further.

We will use the same approach in our detection mechanism. For any form that would be posted back to the server, we will extract all the input fields and compare them with a list of commonly used hidden field parameter names for CSRF across various technologies such as Java, PHP, Python/Django, ASP.NET, and Ruby. Furthermore, we will also take a look at the cookies that are set before the form is submitted and compare the names of the cookies with the commonly used names for CSRF protection across all well known technology stacks.

Again, it should be noted that the script will simulate normal human behavior. It will log into the application and maintain a valid session and then try to look for CSRF flaws. The most commonly used CSRF hidden filed parameters along with technology stacks are shown here:

  • ASP.NET [Hiddenfiled : __RequestVerificationToken, Cookie : RequestVerificationToken]
  • PHP [Hiddenfiled : token, Cookie : token], [Hiddenfileld :_csrfToken, Cookie : csrfToken]
  • PHP [Hiddenfiled : _csrftoken, Cookie : csrftoken]

The preceding list could be more exhaustive but it is fine for our purposes. We will be using the DVWA application to create our proof of concept script.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.152.173