Security News > 2021 > March > Tackling cross-site request forgery (CSRF) on company websites
The action of adding a page was vulnerable to CSRF. My pen test attack not only created a new page, but also stole administrative credentials from the site, using some unorthodox HTML. Now, the start of any CSRF attack is always the payload. The first thing to note here is that when an iframe loads, it sends a GET request to whatever is specified in the 'src' parameter.
How would an attacker get the payload to fill the whole page? Well, as we demonstrated in our test, we can interact with the height and width properties of iframes using JavaScript.
The risk of this type of CSRF attack is that instead of trying to bypass this browser policy, an attacker isn't breaking it at all! They just need to assign a function to the login button on '/admin.
I then went on to test how an attacker would be able to exploit the CSRF. BurpSuite has a function that generates a CSRF payload, which would allow an attacker to quickly whip one up for this vulnerable site.
If the target is logged into the application, and clicks on the button, the attack will succeed, and the vulnerable page will be added.
This entire attack hinges around a user being tricked into clicking on a malicious link or browsing to a malicious site.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/ZjKr31caWIE/