Cross-site request forgery (CSRF) is often confused as a vulnerability that is similar to XSS. XSS exploits the trust a user has for a particular site, which makes the user execute any data supplied by the website. On the other hand, CSRF exploits the trust that a site has in a user's browser, which makes the website execute any request coming from an authenticated session without verifying if the user wanted to perform the action.
In a CSRF attack, the attacker makes use of the fact that the user is already authenticated to the application and anything the client sends will be regarded by the server as legitimate action.
CSRF can exploit every web application function that requires a single request within an authenticated session, if sufficient defense is not implemented. Here are some of the actions that attackers perform through a CSRF attack:
Successfully exploiting the CSRF flaw depends on several variables:
POST
method. This can be achieved using a social engineering attack.The third point in the attack dependencies discussed in the preceding section requires the victim browser to submit a request to the target application without his or her victim's knowledge. It can be achieved using several ways:
<imgsrc=http://vulnerableapp.com/userinfo/[email protected] height="1" width="1"/>
The height and the width of the image is set to only 1 pixel; therefore, even when the image source is not a legitimate image, the victim won't be able to identify it. The e-mail address of the user in the application gets updated to [email protected]
. This technique only works for the GET
requests.
POST
method, the steps are more difficult. The attacker would have to use a hidden Iframe and load a form in it, which would execute the desired function on the vulnerable web application. An example is shown here:<iframe style=visibility:"hidden" name="csrf-frame" ></iframe> <form name="csrf" action=""http://vulnerableapp/userinfo/edit.php" method="POST" target="csrf-frame" <input type="hidden" name="email" value="[email protected]"> <input type='submit' value='submit'> </form> <script>document.csrf.submit();</script>
Many people get confused when they read about the attacker's website submitting a form to another website not in its domain. Remember the same origin policy is discussed in the section, Overview of cross-site scripting of this chapter and how XSS gave birth to it. A very important point to keep in mind is that same origin policy does not prevent the browser from submitting a form across domain. It only prevents scripts from accessing data across domains.
The description of CSRF vulnerability clearly suggests that it is a business logic flaw. An experienced developer would create web applications that would always confirm with the user at the screen when performing critical tasks such as changing the password, updating personal details or at the time of making critical decisions in a financial application such as an online bank account. Testing for business logic flaws is not the job of automated web application scanners as their work on predefined rules. For example, most of the automated scanners test for the following things to confirm the existence of a CSRF flaw in the URL:
All the preceding methods used by most automated application scanners are prone to false positives and false negatives. The application would be using an entirely different mitigation technique to defeat the CSRF attack and thus render these scanning tools useless.
The best way to analyze the application for CSRF flaw is to first gain complete understanding on the functionality of the web application. Fire up a proxy such as Burp or ZAP, and capture traffic to analyze the request and the response. You can then create a HTML page, replicating the vulnerable code identified from proxy. The best way to test for CSRF flaws is to do it manually.
The good people at OWASP have tried to make the manual testing easier through the OWASP CSRFTester project. Here are the steps to use the tool:
The pinata-csrf-tool hosted at https://code.google.com/p/pinata-csrf-tool/ is another tool that we often use to create POCs for CSRF flaws.
Here, we will discuss a few mitigation techniques for the CSRF attack:
GET
method. Therefore, avoid it in the first place and use the POST
method wherever possible. It does not fully mitigate the attack but makes the attacker's task difficult.3.145.109.8