Cross-Site Request Forgery (CSRF)

-

Cross-Site Request Forgery (CSRF) is an attack that takes advantage of users who are already authenticated in a web application by making them perform unwanted actions in that application. An attacker can trick the users of a web application by sending a link via email which executes a hidden action. CSRF attacks are not useful for data theft, since it targets state-changing requests meaning the attacker cannot see the response of the forged request. But the attacker make the victim unknowingly perform various actions like changing their login information, transferring funds etc.

How does it work?

To explain how a CSRF attack is carried out, let us take a look at a simple example.

Bob wants to transfer Rs.7000 to Alice through HNB bank's online transaction portal. To do so Bob authenticates to the bank's website using his credentials. Eve is the attacker in this scenario and she plans on using a CSRF attack to get money transacted to her from Bob. To do this successfully Eve must do two things:
  1. Build an exploit URL or Script
  2. Trick Bob into running the exploit

1. Building the Exploit

When Bob confirms his transaction to Alice, the GET request would look something like this:
http://hnb.com/transfer.do?acct=ALICE&amount=7000

All Eve has to do to perform a CSRF attack is to change this request with her account and add the amount of funds she desires:
http://hnb.com/transfer.do?acct=EVE&amount=1000000

2. Tricking Bob to run the exploit

Eve must use social engineering to trick Bob into running her exploit. There are multiple ways she can achieve this:
  • sending an email with HTML content
  • disguising the URL in a link which Bob might be interested in clicking
  • hiding the URL in an image
  • adding the URL into web pages that Bob might visit.
When Bob runs the exploit, authentication will not be necessary because Bob has already been authenticated when doing his transaction to Alice. Therefore the exploit will run without any interruptions and Eve will receive the funds.
CSRF attack on Bob

Protection Measures

A number of protection measures have been proposed which prevent CSRF attacks from being exploited. Two of which will be discussed in this blog:

Comments

Post a Comment

Popular posts from this blog

Double Submit Cookies Pattern

-
Image
This blog post will be explaining about how Double Submit Cookie Pattern (DSCP) can be used to prevent CSRF attacks. What is Double Submit Cookie Pattern? Similar to Synchronizer token Pattern this also uses a random token value, but unlike in Synchronizer Token Pattern where the token is saved in the server side, Double Submit Cookie Pattern does not save the token. Instead, it sets the CSRF token as a cookie and retrieves this cookie value and inserts it into a hidden field in each HTML form sent to the client. When the form is submitted, the submitted token value is compared with the cookie token, and if they are the same, the form is allowed to submit.  Because of this random value, an attacker will not be able to place a correct token in their forged request, thus making them unable to perform CSRF attacks.  How does it work? To explain how Double Submit Cookie Patterns work, let us take a look at the following example (Source code can be obtained ...
Read more

Synchronizer Token Pattern

-
Image
This blog post will be explaining about how Synchronizer Token Pattern can be used to prevent CSRF attacks. What is Synchronizer Token Pattern? Synchronizer Token Pattern (STP) is a technique that uses a token (unique secret value) for each request. This token is embedded in all HTML forms and verified on the server side. Because of this random value, an attacker will not be able to place a correct token in their forged request, thus making them unable to perform CSRF attacks. How does it work? To explain how Synchronizer token patterns work, let us take a look at the following example (Source code can be obtained here ). STP example web application Upon running the web application, we are greeted to a login page, we login using the hardcoded credentials: Username : user Password : csrf1 Before continuing with the flow let us take a look at the token class implemented as shown below: Token class and its methods As shown above, the token class has three...
Read more