The following article describes how to utilize the OWASP CSRFTester to generate test cases during an application security assessment.
To download the tool, please visit the OWASP CSRFTester project page.
An outline of the steps necessary to launch and utilize the CSRFTester:
- Update the JAVA_HOME environment variable in run.bat.
- Double-click run.bat.
- Configure your browser to proxy through CSRFTester.
- Record the execution of a business function.
- Modify the parameters of the recorded business function.
- Generate an HTML report that carries out the business function.
- In a separate browser window (and with a separate user), view the generated HTML file.
If the action was successfully carried out, then the application is vulnerable to CSRF.
Launch OWASP CSRFTester
The CSRFTester distribution contains three files:
The run.bat script configures the classpath to include the required jars and invokes the appropriate main class. Currently, the batch script assumes your JDK runtime exists under
C:\AppSecWorkbench\jdk16\jre. Obviously, this will not be the correct location of your JVM. Make sure you update the JAVA_HOME environment variable in run.bat before attempting to execute the batch file. Assuming proper configuration, executing run.bat should launch CSRFTester. If an error occurs, evident when the command line interface quickly disappears, consider opening up a separate CLI and CD directly to the folder of your run.bat file and execute it via command line. Any errors that may occur will display to stdout.
Record Execution of Business Functions
Once the CSRFTester loads successfully, we must record a transaction that we want to test for CSRF. First, configure the browser to proxy all HTTP traffic through CSRFTester. We can configure this proxy behavior in IE using the Tools menu: Select Tools > Internet Options > Connections > LAN Settings will display the proxy configuration dialog.
CSRFTester defaults to using port 8008 on localhost for its proxy. You need to configure IE to relay requests to CSRFTester, rather than fetching them itself, as shown in the above image. Make sure that all checkboxes are unchecked, except for "Use a proxy server". Once you have configured IE to use the proxy, select Ok on all dialogs to get back to the browser. Browse to a non-SSL website, and then switch to CSRFTester.
If the proxy was successfully configured, CSRFTester will generate debug messages to stdout for all subsequent HTTP requests generated by your browser. At this point, we need to locate a particular business function that we want to test for CSRF. Browse to the page where the business function (or functions) are first "loaded". Once this page is located, select the "Start Recording" button in CSRFTester and execute the business function or functions. Once complete, click the "Stop Recording" button within CSRFTester. You'll notice that the list on the main screen now has a series of requests recorded. These are all of the GET/POST requests generated by our browser while executing the business function(s). By selecting one of the rows in the list, we now have the ability to modify the parameters that were used to execute the business function. We can modify the "query string" parameters and "form" parameters through their respective panes on the bottom half of the screen. Note that these are the values we wish to trick the end user into submitting. Once all of the parameters have been modified to contain your desired values, we are now ready to begin generating HTML reports.
Generate HTML Reports
The HTML reports generated by the CSRFTester tool are used to carry out the CSRF test cases against other users of the web application. To generate a report, we first must select a "report type". The report type determines how we want the victims browser to submit the previously recorded requests. There currently exists 5 possible reports: forms, iFrame, IMG, XHR, and Link.
Forms: This report type will submit the request(s) using auto-posting forms iFrame: This report type will submit the request(s) using and auto-submitting iframe tag. IMG: This report will submit the request(s) using the <img src="..."/> tag XHR: This report will submit the request(s) using XMLHttpRequest. Note that this is subject to the same origin policy. Link: This report will submit the request(s) when the user clicks a link.
Once a report type is selected, you can optionally launch the newly generated report in your browser. To enable/disable this option, check/uncheck the "Display in Browser" checkbox next to the "Generate HTML" button in the bottom right-hand corner. Finally, we can click the "Generate HTML" button to create the HTML report that will submit our recorded (and possibly modified) actions. To carry out the test case, open a new browser instance, authenticate as another user with access to the same business function(s), and have that user/browser launch the newly created HTML report file. If the action was carried out after viewing the file in the same browser window that was used to authenticate the new user (i.e. the victim), then that particular business function is vulnerable to cross-site request forgery.