Cross-Site Request Forgery(CSRF)



A CSRF attack forces an authenticated user (victim) to send a forged HTTP request, including the victim's session cookie to a vulnerable web application, which allows the attacker to force the victim's browser to generate request such that the vulnerable app perceives as legitimate requests from the victim.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

csrf

Example

Here is a classic example of CSRF −

Step 1 − Let us say, the vulnerable application sends a state changing request as a plain text without any encryption.

http://bankx.com/app?action=transferFund&amount=3500&destinationAccount=4673243243

Step 2 − Now the hacker constructs a request that transfers money from the victim's account to the attacker's account by embedding the request in an image that is stored on various sites under the attacker's control −

<img src = "http://bankx.com/app?action=transferFunds&amount=14000&destinationAccount=attackersAcct#" 
   width = "0" height = "0" />

Hands ON

Step 1 − Let us perform a CSRF forgery by embedding a Java script into an image. The snapshot of the problem is listed below.

csrf1

Step 2 − Now we need to mock up the transfer into a 1x1 image and make the victim to click on the same.

csrf2

Step 3 − Upon submitting the message, the message is displayed as highlighted below.

csrf3

Step 4 − Now if the victim clicks the following URL, the transfer is executed, which can be found intercepting the user action using burp suite. We are able to see the transfer by spotting it in Get message as shown below −

csrf3

Step 5 − Now upon clicking refresh, the lesson completion mark is shown.

Preventive Mechanisms

  • CSRF can be avoided by creating a unique token in a hidden field which would be sent in the body of the HTTP request rather than in an URL, which is more prone to exposure.

  • Forcing the user to re-authenticate or proving that they are users in order to protect CSRF. For example, CAPTCHA.

Advertisements