Dr. Drew Hwang, CIS, Cal Poly Pomona
Home
101
WDD
ECOMM
SWA
SP
Secure Web Development
Home
Basics
Offense
Defense
SDLC
Code
Access
Parameter
Perimeter
Browser
Industry
Resource
Code
HTTP Header Injection
SQL Injection
HTML-Script Injection
XSS
CSRF
Phishing
Others
XML Poisoning
JASON Hijacking
XPATH Injection
Print
Cross-Site Request Forgery
What is CSRF?
Cross-site request forgery, originally called
confused deputy attack
, abbreviated as
CSRF
(often pronounced
sea-surf)
or
XSRF
, and known as
session riding
,
one-click attack
,
cross-site reference forgery
,
hostile linking
, is a type of malicious exploit of tricking users into inadvertently issuing an HTTP request to an web application without their knowledge.
This is a type of forgery because (1) the attack inherits the identity and privileges of the victim and (2) the attacker performs an undesired action on the victim's behalf.
A website is vulnerable if it performs a function using a static URL or POST request.
If the CSRF attack is stored on the vulnerable site, the vulnerability is called a
stored CSRF flaw
.
Exploits
The site's blind trust in user identity
User privilege to access data and operation
Administrator privilege to access data and operation.
Typical malicious actions include:
login and logout
retrieve and change account information such as e-mail address, home address, password, and so on
post content to message board, subscribe to an online newsletter, perform stock trades, use an shopping cart, or even sending an e-card
vs. XSS
The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
Examples
OWASP example
Dectection
CSRF vulnerability can be detected through using a browser proxy to check if the same requests to an web application will run in two different times apart without unpredictable token. Without such an
unpredictable token
, attackers can't forge malicious requests.
Defensive Measures
Check URL referer
: Implement check routine on incoming URL referer, but it might not be effective because the referer header can be maliciously tampered by hackers or purposefully by personal security software packages such as parental control software, privacy software, and others.
Issue synchronizer token
: Issue a token to every user session and include it with each form returned to the browser. When that form is submitted, the synchronizer token in the form is compared to the synchronizer token in the session.
Demo 2
References
Cross Site Request Forgery,
WASC
.
Cross Site Request Forgery,
OWASP
The Cross-Site Request Forgery (CSRF/XSRF) FAQ,
cgisecurity.com
.