Print

Cross-Site Request Forgery

What is CSRF?

  • Cross-site request forgery, originally called confused deputy attack, abbreviated as CSRF (often pronounced sea-surf) or XSRF, and known as session riding, one-click attack, cross-site reference forgery, hostile linking, is a type of malicious exploit of tricking users into inadvertently issuing an HTTP request to an web application without their knowledge.
  • This is  a type of forgery because (1) the attack inherits the identity and privileges of the victim and (2) the attacker performs an undesired action on the victim's behalf.
  • A website is vulnerable if it performs a function using a static URL or POST request.
  • If the CSRF attack is stored on the vulnerable site, the vulnerability is called a stored CSRF flaw.

Exploits

  • The site's blind trust in user identity
  • User privilege to access data and operation
  • Administrator privilege to access data and operation.
  • Typical malicious actions include:
    • login and logout
    • retrieve and change account information such as e-mail address, home address, password, and so on
    • post content to message board, subscribe to an online newsletter, perform stock trades, use an shopping cart, or even sending an e-card

vs. XSS

  • The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
  • Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Examples

Dectection

  • CSRF vulnerability can be detected through using a browser proxy to check if the same requests to an web application will run in two different times apart without unpredictable token. Without such an unpredictable token, attackers can't forge malicious requests.

Defensive Measures

  • Check URL referer: Implement check routine on incoming URL referer, but it might not be effective because the referer header can be maliciously tampered by hackers or purposefully by personal security software packages such as parental control software, privacy software, and others.
  • Issue synchronizer token: Issue a token to every user session and include it with each form returned to the browser. When that form is submitted, the synchronizer token in the form is compared to the synchronizer token in the session.
  • Demo 2

References

  • Cross Site Request Forgery, WASC.
  • Cross Site Request Forgery, OWASP
  • The Cross-Site Request Forgery (CSRF/XSRF) FAQ, cgisecurity.com.