Changing Password with CSRF (DVWA: Level Low)

Hello Cyberman,

The content of this article will be on changing password with csrf. It’s a pretty dangerous vulnerability. It is very common nowadays.

First of all, they will be used for this type of vulnerability:

To demonstrate this web vulnerability, I will show it on the vulnerable website called DVWA.

If you want to test or install this vulnerability, you need:

The above click for download. Installation will not be described in this article.

What Is The CSRF?

CSRF vulnerability; It is the execution of transactions against the wishes of the users using the web application. 

We can say that this vulnerability, which occurs in systems that do not control from which source and how the requests to the application are sent, is actually a detail that is overlooked by the software developers who code the application. 

This vulnerability, often abbreviated as CSRF or XSRF, is also known as “Session Riding”.

How to this vulnerability is using attacker?

To show the example, log in to the vulnerable site called DVWA, let’s open the CSRF section.

An image like the one above will appear. Our logged in user is admin. And in this part, the password will be changed.

After changing our new password to “test”, the URL of the browser: “http://192.168.1.99/dvwa/vulnerabilities/csrf/?password_new=test&password_conf=test&Change=Change#” link will appear.

Since this request is made with the GET method, it is seen in the URL section. But it could be done with the POST method. For this reason, let’s open Burp Suite and open the interface. And let’s send the same request again.

As seen in the picture above, a package request will appear in Burp Suite. 

As seen above, link copying can be done on Burp Suite. And if this link is triggered by the victim while logged in, the victim’s password will be changed.

Attackers resort to various methods to trigger this link.
For example, they can hide a link on their personal site:
<img style=”display:none;” src=”CSRF_LINK_HERE” alt=””/>

The image will not appear in the IMG tag, but the entered link will be triggered. And the password will be changed automatically and the session password will be captured.

Don’t click on every link, the joke comes from situations like this.

Have a nice day with lots of informatics 🙂

1 Comment

  1. I am a website designer. Recently, I am designing a website template about gate.io. The boss’s requirements are very strange, which makes me very difficult. I have consulted many websites, and later I discovered your blog, which is the style I hope to need. thank you very much. Would you allow me to use your blog style as a reference? thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *