Web Application login form Brute Force bypass even with a CSRF Token

Hello guys long time just finished my undergraduate finals and now am back to producing walkthroughs on anything that concerns penetration testing. If you haven’t followed me do so right now so that you won’t miss any upcoming articles. For today’s walkthrough we are going to be simulating a Web Application Brute Force attack in the presence of a CSRF Token. We are going to be simulating the attack using Damn Vulnerable Web Application box from tryhackme (DVWA) login page.

Over the past couple of years it has become an increasing trend for web application to implement a CSRF Token in their login pages. The importance of this token is not only to prevent a cross site request forgery attack but also to prevent an automated brute force attack. Meaning it kinda kills two birds with one stone. Many web application examples which include:

  1. PFSense
  2. Bludit content management system
  3. Centreon

Have implemented this security feature and for security experts not familiar with coding/programming might find it difficult to perform a brute force attack in this kind of situations. That changes today we are going to be going through how to use python to create a brute forcer for login pages which utilizes a CSRF Token

Below is a screenshot of the DVWA web application

First let’s try logging in using the credential admin:admin and intercept the request using burpsuite proxy and just take a look at the request in detail

Looking at the request we see that a user_token is implemented and also the security has been set. On submitting the request in the response header we get a 302 Found on the response header. On following the request we see that it says Login failed.

Now using burpsuite let’s try sending the same request a second time and see the response using burpsuite . Looking at the response we see that the web application recognizes that the CSRF token is incorrect

Meaning the CSFR Token can’t be reused for a second time. We need to get a new CSRF Token from the web application. And this is where hydra or ZAP fails when it comes to brute force. The reason why i tested if the CSRF Token could work for a second time was because some web application just check if a token is present in the post data field of the login request and doesn’t check the authenticity of the Token meaning we can replay the same token as many times as we want in a request without it expiring or giving us errors. This could mean we could use an automated tool like hydra or burpsuite for brute force and just add a parameter for the user_token. But in our case we were not lucky. So Time to create a python automated brute forcer.

Things we need to keep in mind are:

  1. We need to find a python module that can receive and send HTTP requests
  2. We need to find a way to grab the user_token from the the webpage
  3. We need to find a way of opening a file with password and read those passwords one at a time
  4. we need to find a way to include a logic statement that determines whether the login was successful, whether the login failed and whether the CSRF Token submitted was valid or invalid

Let’s jump right into making the exploit script

First we need to import the modules that we are going to use

I just changed terminal text editor since last time i posted a walkthrough I’ve started learning how to use vim and it’s much more fun

Now we need to create a terminal class can will be accepting user input and passing the argument to functions present in the web application.

Let’s save the script and execute it

Looking at the result we have a nice terminal that has line wraps enabled rather than just using the input() function in python

Now we create a variable called session that will store our session cookie and use the session cookie stored for all the requests that we will send to the server

Now we need to implement the login that will automatically save our session cookie and give us access to the exploitable modules once we login with the correct credentials

Let’s start coding the login functionality

First we need to grab the user_token (CSRF Token) from the login page. By pressing ctrl + u and scrolling though the web application source code you can see that we are able to find the user_token

Using regular expression in python we will only grab that user_token using the code below

Now let’s save the script again and run it and see if we will be able to grab the user_token (CSRF Token)

Looking at the screenshot above we have successfully captured the user_token and it’s random as you can see meaning there was no we could make a guess on what the next session id would likely be

Next we need to tell the script to open a particular file containing a list of passwords. Let’s code it

Let’s save the script again. We need to have that file called john.txt in the same directory as the exploit script

Let’s run the script and see if we’ll get a bunch of passwords.

And looking at the script above we have a bunch of passwords . Next we need to write the code that submits the credentials provided. Let’s continue coding

File we’ll need to create a dictionary containing the post data for the login request

Sweet now let create the post request that submits credentials provided

Now that the post requests is done let’s save the script and try running it and see if it works

Looking at the result below we see that it works. The reason as to why we are getting a login failed is because the first word in the word list is not the correct password.

I made a few changes on the script to ensure in every loop we get a new user_token rather than just using the one obtained at the beginning

Next let’s implement a logic which determines whether we have a login success or login failure or CSRF Token is incorrect.

And just like that our script is done. If all goes well we’ll have a login success since the default credential for DVWA is a really weak password

Let’s save the script and run it again.

And voila we have a correct credential. But still we can take this a notch higher since I’ve done this box before i know we have about five users namely:

  1. admin
  2. gordonb
  3. 1337
  4. pablo
  5. smithy

Let’s brute force the passwords for all of them.

First in the code let’s create a list of valid users

Next we need to create the for loop so that it can circle through all the credentials

Sweet let’s execute the script and see if it will work

And voila we have valid credentials for some users

This should become a valuable lessons for our system administrator. They should remember that even if they have a cross site request forgery token on their login pages they shouldn’t feel secure but further implement other security protection like:

  1. maximum number of failed login attempt
  2. Use a better password policy
  3. Perform penetration testing on other vulnerability that could cause data breaches like SQL Injections

This will increase protection for the login pages. As an assignment try the same principle to brute force the challenges offered by DVWA

For further reference I’ll refer you to:

Ippsec’s sense video on YouTube.

He’s a great guy that has done a lot for the community.

It’s goodbye for now till next time take care and be safe. If you like the walkthrough clap for me down below and don’t forget to follow me for more walkthroughs.

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)