CLI identifies XSS but not CSRF

uasalian's Avatar

uasalian

12 Sep, 2016 04:37 PM

Hello,

I tried Arachni against a small test web app in CLI mode. The app allows user to login and change personal profile such as address, phone number, etc. Arachni identified all XSS issues but did not identify the issue when tested for CSRF. What am I missing here? Can you please help? I call Arachni as follows::

arachni ${ATTACK_URL} \
--plugin=autologin:url=${LOGIN_URL},parameters=${LOGIN_PARAMS},check=${LOGIN_CHECK} \
--scope-include-pattern  ${IN_SCOPE_URL_PATTERN} \
--output-only-positives \
--report-save-path ${REPORTS_DIR} \
--checks=csrf \
 > ${TEMP_LOG} 2>&1
  1. Support Staff 1 Posted by Tasos Laskos on 13 Sep, 2016 08:18 AM

    Tasos Laskos's Avatar

    Do these forms have anti-CSRF tokens?
    Also, are there any log-out URLs that needs to be excluded?

  2. 2 Posted by uasalian on 13 Sep, 2016 09:20 PM

    uasalian's Avatar

    Hi Tasos,

    Thanks for responding. These forms do not have any anti-CSRF defense by intent and I would like such forms flagged by the tool. I did have logout URL specified by --scope-exclude-pattern, but it did not seem to make any difference for both XSS and CSRF testing, so I removed that parameter (I am using v1.4)

  3. Support Staff 3 Posted by Tasos Laskos on 14 Sep, 2016 07:41 AM

    Tasos Laskos's Avatar

    Do the forms include a nonce of some kind?
    A dynamic value in their fields that gets updated with each request?

  4. 4 Posted by uasalian on 14 Sep, 2016 02:00 PM

    uasalian's Avatar

    No, the form does not have any nonce. It has 6 text input fields and a submit button.

  5. Support Staff 5 Posted by Tasos Laskos on 14 Sep, 2016 02:01 PM

    Tasos Laskos's Avatar

    Any chance I can have access to the web application?
    You can send over the details in private if you'd like.

  6. 6 Posted by uasalian on 15 Sep, 2016 02:27 AM

    uasalian's Avatar

    Hi Tasos,

    I wanted to send you my code but I see that the link you gave is partially masked so cannot use it. Please advise how I can send you the details.

    Thanks!

  7. Support Staff 7 Posted by Tasos Laskos on 15 Sep, 2016 08:53 AM

    Tasos Laskos's Avatar

    Ir was meant to point to: tasos[dot]laskos[at]arachni-scanner.com

  8. Support Staff 8 Posted by Tasos Laskos on 15 Sep, 2016 01:59 PM

    Tasos Laskos's Avatar

    One more question, is there a nonce in the form's action?

  9. 9 Posted by uasalian on 15 Sep, 2016 02:17 PM

    uasalian's Avatar

    No, there is no nonce in the action either

  10. Support Staff 10 Posted by Tasos Laskos on 23 Sep, 2016 11:49 AM

    Tasos Laskos's Avatar

    Updating based on e-mail communications:

    1. Sample form input value of 111-111-1111 looks like a base16 digest and is assumed to be an anti-csrf token.
    2. Any input name or value that includes the string "csrf" is assumed to include a token.
  11. 11 Posted by uasalian on 23 Sep, 2016 03:12 PM

    uasalian's Avatar

    Hi Tasos,

    Thanks for providing the details, now I see why Arachni figured there is anti-CSRF defense even though there isn't any. But if I may I would like to voice my opinion that both of these assumptions can prove highly deceptive as was shown by my test application. Ideally, a true test could be set up as follows: the tool should take all the required parameters of a form (under investigation) as input in the form of key-value pairs, and attempt a form submission using that input; and then look for a specific outcome in the response to identify a successful CSRF attack. In other words, the best way of identifying the CSRF vulnerability would be by launching an actual attack.

  12. Support Staff 12 Posted by Tasos Laskos on 23 Sep, 2016 03:20 PM

    Tasos Laskos's Avatar

    This would create a lot of FPs as update messages can differ depending on what you change on the form (assuming you even manage to pick valid values), thus making a baseline impossible to establish.

    I think it would be best to remove the heuristics that look for tokens based on format and just leave the nonce check.
    If there's a name or value that changes with each page refresh, then there's a nonce present and it's safe assume it has to do with server-side validation.

    Of course, you'd still miss out on cases where the nonce fails to be checked on the server side even though it's in the form, but you can only do so much.

  13. 13 Posted by uasalian on 23 Sep, 2016 03:32 PM

    uasalian's Avatar

    I agree, and this shows why security testing is such a difficult business!

    Thanks a lot for your help!

  14. Support Staff 14 Posted by Tasos Laskos on 23 Sep, 2016 03:46 PM

    Tasos Laskos's Avatar

    No problem.

    Pushing nightlies now, will let you know once they're up.

  15. Support Staff 15 Posted by Tasos Laskos on 23 Sep, 2016 05:52 PM

    Tasos Laskos's Avatar

    Nightlies are up, give them a try.

  16. Tasos Laskos closed this discussion on 24 Oct, 2016 09:00 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac