i Cross – Site Request Forgery (CSRF) – All things in moderation

Cross – Site Request Forgery (CSRF)

Overview

CSRF is an attack technique that trapped victim load a web page contain malicious requests. Then if user currently authenticated, an CSRF attack behalf they perform unwanted actions.
A successful CSRF attack can force the user to perform state changing requests.
Example:
– Change their infomation: email address, home address…
– Perform an trade
– …

CSRF attack scenario


1. User logged in web application and currently authenticated.
2. Attacker trick victim click a link containing CSRF code by some way. Example attacker using fishing technique and trick the client visit attacker.com contains CSRF code.
3. Victim click a link and CSRF code to be executed.

EXAMPLE:

Consider attack scenario transfer money through bank account folowing:
– Suppose Alice want to move $100 to Bob using bank.com.
Request has form folowing.

POST http://bank.com/transfer.php HTTP/1.1
 ...
 ...
 ...
 Content-Length: 19;
 acct=BOB&amount=100
  • Maria detect can perform with requrements such transfers GET request use:
GET http://bank.com/transfer.do?acct=BOB&amount=100  HTTP/1.1
  • Maria exploit this bank.com’s vulnerability to trick Alice transfers bank.com fo herself. Maria created URL transfer $1000000 from Alice for her.
http://bank.com/transfer.do?acct=MARIA&amount=1000000 
  • Then Maria nead to create a trap to trick Alice perform that transfer request. She created a link in an email and send it to Alice:
<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>
  • Assume Alice has been authenticated with bank.com (currently in session or automatically by the cookies), then requesting the transfer had perform.

  • However, Alice can recognize the transfer by openning the URL, Maria can hide the url in to a very small pickture:

<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">

Prevention measures

  • Use OTP/Challenge Response protocol.
    + Use one time token/password.
    + Check the password for each imporrtan operation.

  • Use Synchronizer (CSRF) Tokens

    • Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks
    • Characteristics of a CSRF Token
      . Unique per user session
      . Large random value
      . Generated by a cryptographically secure random number generator
    • The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET
    • The server rejects the requested action if the CSRF token fails validation
  • Use Viewstate (ASP.NET)
    + Viewstate said web pages when send request to server.
    + Attackers harder to fake Viewstate.

  • Use standard library like: OWASP CSRF Gard, PHP CSRF Gard, .Net CSRF Guard.

Referentces

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#CSRF_Specific_Defense

Leave a Reply