Demonstration of an attack against express that's using csurf library with cookie signing enabled.
To run it:
- checkout the repo
- go into csurf-signed-attacker and run
npm i
- go into csurf-signed-victim and run
npm i
- modify
csurf-signed-attacker/node_modules/cookie-signature/index.js
line 42 so it always returnsstr
and does not check signature - run
npm start
for both apps - attacker website will run on
:3001
, victim one on:3000
- to demonstrate it nicely setup hosts on your local to simulate domain and subdomain, for example add/modify line like this:
127.0.0.1 localhost csrftest.com 1.csrftest.com
There are two phases of the attack:
- preparation by the attacker
- victim visiting attacker website (phishing or so, as usual with CSRF)
- attacker visits victim website -
csrftest.com:3000
and saves signed cookie value
- victim visits attacker website on a subdomain - for example
1.csrftest.com:3001
in our case, I'm using different ports to make it easier to run on localhost with vanila setup - attacker website toses signed cookie value obtained previously into a cookie with domain set to
.csrftest.com
and with specific path - in our case/csrfprotected
- that's happening by visitinghttp://1.csrftest.com:3000/toss?tossme=XYZ
whereXYZ
is value previously captured by the attacker - attacker website tricks user into submitting (or submits via JS) form available on
1.csrftest.com:3001
- CSRF token present on the attacker website gets accepted on victims website