CSRF (Cross-Site Request Forgery) Attacks and Testing with Kali Linux

Introduction

Cross-Site Request Forgery (CSRF) is a widespread and dangerous web application vulnerability that allows attackers to trick authenticated users into unknowingly executing unwanted actions on a web application. While not as publicly visible as XSS or SQLi, CSRF is equally dangerous, especially for administrative panels and banking applications.

In this comprehensive article, we’ll explain what CSRF is, how it works, and how to test for CSRF vulnerabilities using Kali Linux tools. We'll also explore mitigation strategies to secure applications from CSRF attacks.

What is CSRF?

CSRF (Cross-Site Request Forgery) is a type of attack where a malicious website, email, or program causes a user's web browser to perform an unwanted action on a trusted site where the user is authenticated. This is possible because browsers automatically send cookies (including session tokens) with every request, regardless of where the request originated.

In a successful CSRF attack, the attacker forces the user’s browser to send a forged HTTP request to a vulnerable web application, potentially performing actions like:

Changing user email/password
Performing financial transactions
Posting comments/messages
Modifying admin-level settings

How CSRF Works

Let’s consider a real-world analogy:

You log into your online banking site (e.g., bank.com) and stay logged in (your browser stores the session cookie).
While logged in, you visit an attacker’s malicious website.
The malicious site sends a forged request to bank.com using your browser.
Since your browser is still logged into bank.com, the request includes your session cookie.
bank.com thinks the request is legitimate and executes the action.

If the bank’s web application does not implement CSRF protection, the attacker may, for example, transfer money from your account.

CSRF Attack Example

Let’s assume the target site has a URL like:

http

http://bank.com/transfer?to=attacker&amount=1000

If the site accepts GET requests to transfer funds, an attacker might embed the following HTML in their website:

html

<img src="http://bank.com/transfer?to=attacker&amount=1000" />

When a logged-in user visits this malicious page, the request is automatically sent by the browser, including session cookies. If the site lacks CSRF protection, it will process the request.

Types of CSRF Attacks

There are several variations of CSRF attacks, including:

GET-based CSRF: Exploits URLs to carry out actions using GET parameters.
POST-based CSRF: Uses hidden HTML forms to exploit POST requests.
CSRF via XMLHttpRequest (AJAX): Advanced CSRF using JavaScript if CORS or CSP headers are misconfigured.
CSRF in JSON APIs: Exploits REST APIs using manipulated JSON payloads.

Testing for CSRF Vulnerabilities using Kali Linux

Kali Linux offers a wide range of tools and techniques to detect CSRF vulnerabilities. Below are the top tools and methods.

1. Manual Testing with Burp Suite

Burp Suite is a powerful tool that can be used to identify CSRF vulnerabilities by intercepting and modifying requests.

Steps:

Open Burp Suite and configure your browser to use Burp as a proxy (usually 127.0.0.1:8080).
Navigate to the target application and perform an action (e.g., changing a password).
In the Proxy tab, intercept the request.
Send it to the Repeater tab and replay the request.
Try removing or manipulating any CSRF token fields. If the request still works, the application might be vulnerable.
Copy the request and craft an HTML page that mimics the same request.
Save and open the HTML file in a browser where the user is authenticated and check if the request is processed.

Example Form:

html

<form action="http://target.com/change-password" method="POST">
  <input type="hidden" name="password" value="newpassword123">
  <input type="submit" value="Submit">
</form>

Automation Tip:

Use Burp’s CSRF PoC Generator in the Engagement Tools to generate attack-ready HTML.

2. OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is another robust open-source tool for finding CSRF.

How to Use:

Launch ZAP and configure your browser to proxy through it.
Spider the application to map endpoints.
Use the Active Scan to analyze for vulnerabilities.
ZAP will flag missing CSRF tokens or vulnerable forms.

ZAP also provides the ability to generate CSRF proof-of-concept attacks automatically.

3. XSStrike (with CSRF features)

While primarily used for XSS, XSStrike also contains CSRF test vectors and payloads.

Install it using:

bash

git clone https://github.com/s0md3v/XSStrike
cd XSStrike
python3 xsstrike.py

It helps in identifying improper input validation, which can overlap with CSRF in certain REST API contexts.

4. CSRF-Tester

This is a specialized tool built solely to exploit CSRF vulnerabilities. While it's less common, it can automate CSRF test case generation and form submissions.

Detecting CSRF Tokens

When analyzing forms and requests, look for:

Hidden fields named csrf_token, auth_token, token, etc.
HTTP Headers like X-CSRF-TOKEN or X-Requested-With.

If these are absent, the site may be vulnerable.

5. Crafting a CSRF Exploit Page

A well-crafted CSRF attack page can perform a full exploit. Example:

html

<html>
  <body onload="document.forms[0].submit()">
    <form action="http://victim.com/profile" method="POST">
      <input type="hidden" name="email" value="attacker@evil.com">
      <input type="hidden" name="submit" value="Update">
    </form>
  </body>
</html>

Save this as csrf.html and open it in a browser where the victim is logged in.

6. Bypassing Basic CSRF Protections

Some websites use anti-CSRF tokens, but basic protection can often be bypassed if:

Tokens are predictable or reused
The server doesn’t validate the origin or referrer headers
Cookie-based authentication is used without origin checks

In these cases, automated CSRF scripts or custom payloads can still bypass weak defenses.

Prevention and Mitigation of CSRF Attacks

To prevent CSRF, developers must implement multiple defense layers:

a. CSRF Tokens

Include unique, unpredictable tokens in every form. Verify the token on the server.

php

<input type="hidden" name="csrf_token" value="random123abc456">

On the server:

php

if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
  die("CSRF token invalid");
}

b. SameSite Cookies

Modern browsers support the SameSite cookie attribute:

http

Set-Cookie: sessionid=abc123; SameSite=Strict; HttpOnly; Secure

This prevents cookies from being sent with cross-origin requests, reducing CSRF risk.

c. Use Custom Headers with AJAX

Require a custom header like X-Requested-With: XMLHttpRequest. CSRF attackers can't set custom headers due to browser security restrictions.

d. Check Referer and Origin Headers

Although spoofable in some contexts, verifying Referer or Origin headers adds another layer of defense:

php

if (strpos($_SERVER['HTTP_REFERER'], 'yourdomain.com') !== 0) {
    die("Potential CSRF attack");
}

Testing Real Applications for CSRF (Ethically)

If you are testing real web applications:

Always have written permission or use bug bounty programs.
Document findings and report them responsibly.
Never conduct attacks on unauthorized or public platforms.

Best Practices for Developers

Use frameworks that support built-in CSRF protection (e.g., Django, Laravel).
Avoid using GET requests for state-changing operations.
Always validate CSRF tokens server-side.
Educate teams about CSRF and security best practices.
Keep libraries and frameworks updated.

Conclusion

CSRF remains a critical web application vulnerability that can lead to account hijacking, unauthorized changes, and even financial theft. Kali Linux, with tools like Burp Suite, OWASP ZAP, and manual testing capabilities, provides a solid platform to detect and exploit CSRF issues in web apps.

Combining technical knowledge with ethical testing methodologies ensures that vulnerabilities are discovered before they are exploited. And by applying token-based protection, SameSite cookies, and secure coding practices, developers can effectively mitigate CSRF risks.

Kali Linux