CSRF is an attack technique that trapped victim load a web page contain malicious requests. Then if user currently authenticated, an CSRF attack behalf they perform unwanted actions.
A successful CSRF attack can force the user to perform state changing requests.
– Change their infomation: email address, home address…
– Perform an trade
CSRF attack scenario
1. User logged in web application and currently authenticated.
2. Attacker trick victim click a link containing CSRF code by some way. Example attacker using fishing technique and trick the client visit attacker.com contains CSRF code.
3. Victim click a link and CSRF code to be executed.
Consider attack scenario transfer money through bank account folowing:
– Suppose Alice want to move $100 to Bob using bank.com.
Request has form folowing.
POST http://bank.com/transfer.php HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100
- Maria detect can perform with requrements such transfers GET request use:
GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
- Maria exploit this bank.com’s vulnerability to trick Alice transfers bank.com fo herself. Maria created URL transfer $1000000 from Alice for her.
- Then Maria nead to create a trap to trick Alice perform that transfer request. She created a link in an email and send it to Alice:
<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>
- Assume Alice has been authenticated with bank.com (currently in session or automatically by the cookies), then requesting the transfer had perform.
However, Alice can recognize the transfer by openning the URL, Maria can hide the url in to a very small pickture:
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">
Use OTP/Challenge Response protocol.
+ Use one time token/password.
+ Check the password for each imporrtan operation.
Use Synchronizer (CSRF) Tokens
- Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks
- Characteristics of a CSRF Token
. Unique per user session
. Large random value
. Generated by a cryptographically secure random number generator
- The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET
- The server rejects the requested action if the CSRF token fails validation
- Use Viewstate (ASP.NET)
+ Viewstate said web pages when send request to server.
+ Attackers harder to fake Viewstate.
- Use standard library like: OWASP CSRF Gard, PHP CSRF Gard, .Net CSRF Guard.