In-Depth ConceptsInformationPremium

Concept Behind Cross-Site Request Forgery.

34

Cross-site Request Forgery, aka CSRF or one-click attack, is a diffused security issue issue where unathorized commands are sent from the user’s browser to a web site or a web application. CSRF is different from Cross-Site Scripting in the sense that it does not need to inject code into trusted pages, but can work from untrusted ones thanks to the open architecture of the web.

A quick example

I was browsing the bug tracker of a popular web service to propose an improvement, where I saw that the only Critical ticket was related to CSRF vulnerabilities.

The website uses links for the deletion of the current user’s data, such as /delete_my_items. When a user follows the link present on his account page, his session cookie establish his identity and his data is deleted.

To perform an attack, we only have to make the user load this URL. A simple link would probably not work, but we can easily reach the same goal with an image:

<img src="http://techandsecurity.net/delete_my_items" />

We just have to provide a link to a page containing this image for the user, or send it to him in an HTML email.

How it works

Unlike for XMLHttpRequest, images and other resources can be loaded from whatever hostname, and even if the image tag is hosted on a different website it won’t matter.

Since the request is performed by the user’s browser, it will transmit the session cookie as it would for any application.com page.

The point of all CSRF attacks is tricking the browser into sending an unwanted HTTP request so that there is no need to steal the identity of the user. That’s probably why our banks log us out after 2 minutes of inactivity or require one-time tokens to authorize money transfers.

The assumptions of CSRF

In order for a CSRF attack to be possible, some assumptions have to be verified:

  • the attacked website does not check the Referer HTTP header so that it accepts requests originating from external pages.
  • The web site accepts data modification via form submissions or URLs that have side effects which the attacker can exploit.
  • The attacker can determine all the values for the request inputs. In the simplest case, authentication is done exclusively via a session cookie and so the attacker just have to fill non-sensitive fields.
  • The user must load a malicious page containing the attacker’s code. Judging by the amount of Facebook Likejacking, clicking on everything that moves is a pretty common behavior.

Countermeasures

Every countermeasure can raise the bar and make CSRF more difficult to perform.

First of all, don’t use GET for operations with side-effects. CSRF relies on requests that produce side-effects like deletions or data modifications, and using GET just makes these requests simpler to perform.

POST however is not enough: an attacker can submit a form using JavaScript once the page is loaded, and create a phantom POST request.

There are different alternatives to avoid CSRF for POST requests.

1. The Referer header

You can check the Referer HTTP header and verify that the request originated from a page internal to your web application. The Referred can be spoofed very easily by a malicious user agent, but the common user is running a general purpose browser, not a malicious user agent.

This approach assumes no one can inject HTML/JavaScript in your pages to originate a request; otherwise the referrer would be correct.

The issues is that referrer stripping is really commonup to 11% of HTTP requests do not contain it; for example, corporate proxies or old user agents commonly strip it away. Thus, strict referrer checking would lock out more than a tenth of your user base from making POST requests.

2. Session Token

Solutions based on a one-time token for forms are by far more popular: the token is saved in the user’s session and transmitted in each official form.

Zend_Form_Element_Hash is an example of this technique: a hidden field is added to forms and populated with the token. To make a successful request, the attacker must know the user-specific token, but can’t access it since an external page cannot load a form on another domain via JavaScript.

In 2011, this is the standard approach.

3. Double-submitted cookie

A variant of the previous technique consists in matching a token sent with the form and with a cookie, instead that with a session value.

Due to the same origin policy, JavaScript code loaded from another host cannot read a cookie set on the official hostname. Thus while official forms will send the value along with the cookie, the attacker’s ones will have to guess the value of the cookie to include it in the request (an impossible task if the value is long enough.)

The advantage of this variant is that less server resources are occupied to store form tokens, and you won’t be the subject of a DDOS attack based on multiple form loading.

Conclusion

The proposal of the most famous paper on CSRF is to add an Origin header to HTTP, in alternative to Referer. This head would be sent only for POST requests, and would contain only an hostname instead of a full URL, to ensure privacy.

The techniques described in this article are viable and worth a thought for any application that contains useful data; they hinder testability with certain instruments that build HTTP requests, but they are not an issue for browser-based tools like Selenium.

If You Had Any Query Please Use comment Box Or Reach Me At  (Follow this link to message me on WhatsApp: https://wa.me/441173251891)

Lovepreet Singh
CEO & FOUNDER OF" FIVE RIVERS INCORPORATION - LEADING SOFTWARE & CYBER SECURITY DEVELOPMENT COMPANY" || CERTIFIED ETHICAL HACKER || FUTURE TRILLIONAIRE || FUTURISTIC || "DULL SCHOOL STUDENT" || (Follow this link to message me on WhatsApp: https://wa.me/13018426470)

Introduction to Tabnapping – Hacking When The Phishing is Outdated.

Previous article

Windows CMD Remote Commands for the Aspiring Hacker, Part 1

Next article

You may also like

34 Comments

  1. Effects Of Keflex Antibiotic Kamagra 100mg Oral Viagra Free Belgium [url=http://cpsmeds.com]cialis 5 mg best price usa[/url] Zithromax Itchy Hands

  2. My Cat Ate An Amoxicillin 500 Levitra Comprar Online Viagra Achat Gratuit [url=http://cialibuy.com]canadian pharmacy cialis 20mg[/url] Viagra Online Fast

  3. As the admin of this website is working, no hesitation very shortly it will be renowned, due to its quality contents.

  4. Cialis Cada Cuando Se Toma Viagra Rezeptfrei China [url=http://antabusefast.com]antabuse without prescription[/url] Cvs Buy Propecia Precio Viagra Espana Farmacia

  5. … [Trackback]

    […] Info on that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  6. It is appropriate time to make some plans for the
    future and it’s time to be happy. I’ve read this post and if I
    may I wish to suggest you few attention-grabbing things or suggestions.
    Perhaps you can write next articles referring to this article.
    I want to read more issues about it!

  7. Hey there! This is my 1st comment here so I just wanted to
    give a quick shout out and tell you I truly enjoy reading
    through your posts. Can you recommend any other blogs/websites/forums that deal with the same topics?
    Thank you!

  8. I am regular reader, how are you everybody?

    This piece of writing posted at this web page is actually fastidious.

  9. Hi! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my
    blog to rank for some targeted keywords but I’m not seeing very
    good results. If you know of any please share. Appreciate it!

  10. I like the helpful information you provide in your articles.
    I’ll bookmark your blog and check again here frequently.

    I am quite sure I’ll learn many new stuff right here!
    Good luck for the next!

  11. Hello, the whole thing is going nicely here and ofcourse every one is sharing facts,
    that’s truly fine, keep up writing.

  12. Pretty! This has been a really wonderful article. Thanks for providing these details.

  13. … [Trackback]

    […] There you will find 72488 more Info to that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  14. Hello, i feel that i noticed you visited my web site so i got here to return the desire?.I am attempting to to find things to improve
    my website!I assume its good enough to make use of a few of your ideas!!

  15. I do not even know how I ended up here, but I thought this post was good.
    I don’t know who you are but definitely you’re going to a famous blogger if you
    aren’t already 😉 Cheers!

  16. … [Trackback]

    […] Find More on on that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  17. Now I am going to do my breakfast, afterward having my breakfast coming yet again to read more news.

  18. It’s actually a nice and helpful piece of info.
    I am satisfied that you just shared this useful information with us.
    Please stay us informed like this. Thank you for sharing.

  19. First of all I would like to say great blog! I had a quick question in which I’d like to ask
    if you don’t mind. I was curious to find out how you center yourself and clear your head before writing.
    I have had a tough time clearing my mind in getting my ideas out there.
    I do take pleasure in writing however it just seems like the first 10
    to 15 minutes are generally wasted simply just trying to figure out how to begin.
    Any suggestions or tips? Cheers!

  20. … [Trackback]

    […] Find More to that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  21. Amoxicillin Wholesale World Market Price Achat Viagra Pas Cher Buy Metronidazole 500 Mg Online [url=http://mpphr.com]levitra et dapoxetine[/url] Yerba

  22. … [Trackback]

    […] Info to that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  23. … [Trackback]

    […] Read More on to that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  24. … [Trackback]

    […] There you will find 51045 more Info on that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  25. … [Trackback]

    […] Find More Info here on that Topic: techandsecurity.net/concept-behind-cross-site-request-forgery.html […]

  26. What’s up to every body, it’s my first go to see of this weblog; this weblog includes remarkable and
    truly fine data for readers.

  27. Where To Buy Viagra Pills [url=http://addrall.com]when will alli be back for sale[/url] Is Cephalexin Safe While Breastfeeding

  28. Viagra Generic Very Very Cheap [url=http://try-rx.com]cialis overnight shipping from usa[/url] Cheap Real Cialis Dutasteride Where To Buy By Money Order Shop Hydrochlorothiazide Order Secure Ordering With Free Shipping Shop

  29. Cialis Sold Cheap Clavamox Cephalexin Interactions [url=http://buycheapcial.com]cheapest cialis[/url] Viagra 100mg Canada Pharmacy

  30. Viagra Usa Overnight Delivery Sexpill Eli Lilly Cialis [url=http://drugsir.com]cialis overnight shipping from usa[/url] Propecia Usa Merck Lexapro No Perscription Viagra Types Of Amoxicillin 500mg Capsules [url=http://costofvia.com]viagra[/url] Compare Viagra Canadian Costs Professional Viagra Next Day [url=http://cialibuy.com]canadian pharmacy cialis 20mg[/url] Orlistat Without Prescription In Canada

  31. Online Pharmacies In Usa Overnight [url=http://viaabuy.com]viagra[/url] Where Can I Purchase Viagra Online No Presription Finasteride Como Tomar Cialis 20 Mg [url=http://rxasian.com]viagra[/url] Salem Vpxl Fluoxetine Us Pharmacy [url=http://gaprap.com]viagra[/url] Cephalexin And The Treatment Of Mrsa Buy Generic Accutane No Prescription Viagra Costo In Italia Can You Get High On Cephalexin Productos Kamagra [url=http://orderlevi.com]realcheaplevitra[/url] Fastest Shipping Generic Viagra

  32. Osu Viagra Precio Farmacia Priligy Tijuana [url=http://sildenaf100mg.com]viagra[/url] Buy Cipro Xr 500mg Online Concepimento Propecia Finasteride Discount Generic Accutane

  33. Orlistat No Prescription Cialis E Zoloft [url=http://aquedan.com]buy sertraline no prescription[/url] Mejor Cialis Levitra Cytotec Marrakech Marca Propecia Finasteride Knee Infection Keflex What Does Cephalexin Cure Cialis Viagra Toscana [url=http://cialiprice.com]cialis[/url] Is Amoxicillin Made From Pinicillin Cialis Mazatlan Mexico Comprar Viagra Online Espana Parkizol Online Cialis Trial Packs Express Shipping [url=http://cialibuy.com]cialis 5 mg[/url] Proven Ways To Last Longer In Bed Pedidos De Viagra Keflex W Insurance [url=http://bestlevi.com]levitra sold over the counter[/url] How To Get Zithromaz Without Prescription Over Night Shipping Order Cheapest Flagyl In Salem Malegra 100 Sunrise Cytotec Sans Ordonnance [url=http://mdsmeds.com]buy cialis online[/url] Cialis Viagra Doctissimo On Line Fluoxetine Need With Free Shipping Store

  34. Cadianhealth Propecia E Impotencia Comprar [url=http://bestlevi.com]levitra without prescription[/url] Como Tomar Propecia Viagra Lilly Icos Viagra Tablets India [url=http://rxbill8.com]cialis 5 mg best price usa[/url] Wann Fangt Cialis An Zu Wirken Us Made Cailis Acticin 30gm Shop Amex Accepted Is Amoxicillin In Penicillin Family Cialis Generico Marca Priligy Generique [url=http://cialiviag.com]cialis 5mg[/url] Retin A From Online Store El Cialis Es Malo Alli Canada

Leave a reply

Your email address will not be published. Required fields are marked *