Are you aware of cross-site-request-forgery?


What is this? ❓


Cross-Site-Request-Forgery in simple terms CSRF is an attack type that forces users to execute unwanted actions on a web application (typically a web page) in which they are currently authenticated. CSRF attacks specifically target state changing operations. An attacker can trick legitimate users of a legitimate web application into executing actions of the attacker’s choosing. A successful CSRF attack can perform state changing requests like transferring funds, changing statuses and so forth.

A CSRF attack inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, the web browser request any credentials associated with the site, such as the user’s session cookie and all. Therefore, if a user currently authenticated to a site, the site cannot identify the difference between the legitimate requests sent by the victim and forged requests sent by the victim. (Attacker's request)


Forcing the victim to retrieve data doesn’t benefit the attacker because the attacker doesn’t receive the response, the victim does. So CSRF attacks targets state changing requests such as changing the password or email address, or purchasing something, or transaction funds.

It is possible to store CSRF attacks on a vulnerable site, this is called as “stored CSRF flaws”. Attacker can store an IMG or IFRAME tag in afield that accepts HTML or by a cross-site scripting attack. This attack type is more severe because the victim is sure to be authenticated to the site already. 

Let's see how this works.

Assume that Alice wants to transfer $100 to Bob via banker.com web application that is vulnerable to CSRF. Evie an attacker wants to trick Alice into sending the money to his account, So the attacker first build an exploit URL or script, and do some social engineering to trick Alice into executing this malicious action.
If this application is designed to use GET requests to perform this action, the request will be like, 

http://banker.com/transfer.do?account=BOB&amount=100


So Evie the attacker modified the above request to transfer $10000 to his account, and he replace it. The modified URL will be like,

http://banker.com/transfer.do?account=EVIE&amount=10000


by social engineering, Evie can trick Alice into loading the above URL when she logged into this banking application. For an example, Evie send an email to Alice with the following HTML tag,

<img src="http://banker.com/transfer.do?account=EVIE&amount=10000" width="0" height="0" border="0">


When Alice open this email, Alice wouldn’t see anything. However, the browser will submit the request to banker.com 

If it's a POST?

Assume the application use POST requests to handle transaction, Evie or the attacker still can redirect Alice to attacker’s web site in the same browser but in a new tab that has the following code,

<body onload="document.forms[0].submit()">
<form action="http://banker.com/transfer.do" method="POST">
<input type="hidden" name="account" value="EVIE"/>
<input type="hidden" name="amount" value="10000"/>
<input type="submit" value=""/>
</form>
...........
........
......
...
</body>

Which execute automatically when the page loads. Anyways to a successful attack Alice need to be logged in to the banker.com



How to prevent CSRF attacks?


CSRF prevention techniques work by adding additional authentication data (tokens) into requests that allows the web application to detect requests from unauthorized locations.



There are some techniques to add those additional data (tokens)


The above are some main techniques that use to prevent CSRF attacks by adding additional tokens or data into state changing requests. As well as, user awareness is playing a big role when it comes to preventing CSRF attack.

Comments

Post a Comment

Popular posts from this blog

RMI (intro)

Image
What is RMI?  RMI stands for Remote Method Invocation. It is an application programming interface (API) that allows an object running on one Java Virtual  Machine (JVM) to invoke methods on an object running on another Java Virtual Machine (JVM), client server architecture is a good example where RMI is used. Basically, RMI provides for communication between programs written in the Java programming language. Architecture  In an RMI application there are two programs, a server side program and a client side program. Inside the server side program, a remote object is created and reference of that object is made available for clients. The client side program requests the remote object from the server to invoke its methods.  (A diagram to represent RMI architecture) Stub & Skeleton? Stub is a representation the remote object in the client and its acts as a gateway for the client program. Skeleton is the object that in the server-side. stub communicates with
Read more

Let's Configure HTTP'Secure' in Apache-Tomcat

Image
What is HTTPS?.. if you don't have any idea about what is HTTPS, refer my previous blog post about HTTPS . If you have an idea about HTTPS and SSL/TLS handshake, you are good to go 😊  Creating a digital  certificate We can create a digital certificate using "Java KeyStore (JKS)". This is a repository of security certificates. We can generate a keystore file using keytool command. in order to work with keytool, you must have "JAVA" installed in your computer.  keytool is a key and certificate management utility that allows users to administrate their own public/private key pairs, and the keystore file we are going to generate bellow will also be our local tomcat server's server certificate.   Options  When creating a "keystore", we need to provide some options and values to it. -genkey/-genkeypair -alias  -keyalg  -keystore  -keysize -validity -sigalg -storepass -keypass -dname  -genkey/-genkeypair -genkey
Read more

Mitigate CSRF with Double Submit Cookies

Image
I previously explained what is CSRF  and how we can mitigate a CSRF attack using Synchronizer token pattern technique. In this blog post I'm going to talk about another CSRF mitigation technique called "Double Submit Cookies Pattern"  😉 What is Double Submit Cookies Pattern? This is a technique, that sends a random seed or a "token" as we call it, in both a cookie and as a request parameter, with the server verifying if the cookie value and the request value match. Why DSCP? Now its obvious that a third party entity cannot perform a CSRF attack without the CSRF token, and in here attacker or the third party entity cannot get the token because its in a cookie, and third party web pages cannot retrieve cookies from another web page that has a different domain. For example, assume that the genuine web page is banker.com, and the attacker's web page is attacker.com, when a user logged in to the banker.com, and accidentally redirect to attacker
Read more