0% found this document useful (0 votes)
86 views19 pages

CSRF (Crosss-Site Request Forgeries)

CSRF occurs when a malicious Web site causes a user's Web browser to perform an unwanted action on a trusted site. CSRF is also known as Cross-Site Reference attack, one-click attack, sidejacking, or Session Riding. A CSRF attack on a fictitious e-mail system can cause a user to Click "send" to send a message.

Uploaded by

Slow Hand
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
86 views19 pages

CSRF (Crosss-Site Request Forgeries)

CSRF occurs when a malicious Web site causes a user's Web browser to perform an unwanted action on a trusted site. CSRF is also known as Cross-Site Reference attack, one-click attack, sidejacking, or Session Riding. A CSRF attack on a fictitious e-mail system can cause a user to Click "send" to send a message.

Uploaded by

Slow Hand
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

CROSS-SITE REQUEST

FORGERIES
Kjell Jørgen Hole
NoWires Research Group
Department of informatics
University of Bergen

Last updated August 31, 2009

OVERVIEW

Cross-Site Request Forgery (CSRF) defined

Simplified CSRF example


CSRF and authentication

CSRF attack vectors


Countermeasures
Conclusion

2
CSRF DEFINED

CSRF DEFINITION

CSRF occurs when a malicious Web site causes a


user’s Web browser to perform an unwanted action
on a trusted site
CSRF is also known as Cross-Site Reference attack,
One-Click attack, Sidejacking, or Session Riding

4
CSRF ILLUSTRATED

Authenticated session Trusted site


Web
User
browser Trusted
action

The Web browser has established an


authenticated session with the Trusted site

Authenticated session Trusted site


Web
User
browser Trusted
action

The Web browser tries to perform a


trusted action initiated by the user

6
CSRF: The Attacking site causes the browser to
send a request to the Trusted site. The attack is
possible because the Trusted site authenticates
the browser, not the user

Authenticated session Trusted site


Web
User
browser Trusted
action

Attacking
site

XXS VERSUS CSRF

Contrary to Cross-Site Scripting (XSS), which exploits


the trust a user has for a particular site, CSRF exploits
the trust that a site has for a particular user
It is not necessarily true that defenses against XSS also
protect against CSRF

8
SIMPLIFIED CSRF EXAMPLE

E-MAIL SYSTEM EXAMPLE

We consider a fictitious e-mail system example.com


that allows users to send mail from their browsers

Client Server

User Web example.


browser
com

10
HTML FORM IN BROWSER

To: [email protected]
Subject: CSRF Web page http://
Message: example.com/
compose.htm
When the user clicks “Send”
the e-mail is sent in a HTTP Contains a HTML
GET request form to send e-mail

Send
11

GET REQUEST

The HTML form causes a GET request to append the


form data to an URL:

http://example.com/send_email.htm?
to=bob%40example.com&subject=CSRF&
msg=When+the+user+...

The page send_mail.htm takes the URL data and


generates an e-mail to the recipient from the user

12
VULNERABILITY!

The page send_mail.htm simply performs


actions with the received data
It does not care where the request originated
In fact, a user could manually type the
URL in the browser’s address bar

13

POSSIBLE ATTACK

If an attacker can force the user’s browser to send


a HTTP GET request to send_mail.htm, then
this page will send an e-mail on the user’s behalf
containing data chosen by the attacker

14
ATTACK ILLUSTRATION

Request page
Web Web
User browser page

User causes browser to load


Web page from site controlled example.
by an attacker com

15

MALICIOUS WEB PAGE

<img src="http://example.com/send_email.htm?
<
to=mallory%40example.com&subject=Hi&msg=My
+ email+address+has+been+stolen">

Malicious Web pages uses HTML <img> tag to


send a fake e-mail
16
ATTACK ILLUSTRATION ...

Fake e-mail
Web example.
page com

Downloaded malicious Web


Malicious page generates fake e-mail
site

17

IMPORTANT OBSERVATION

The attack can typically carry out the same actions


as the user
Hence, the more power a site gives to a user, the
more serious are possible CSRFs

18
CSRF AND AUTHENTICATION

AUTHENTICATION
VULNERABILITIES

CSRF exploits the authentication mechanism,


or the lack of such a mechanism, at a Web site
Usually, the authentication only ensures that
a request is from the user’s browser, not that
the user actually initiated the request

20
EXAMPLE:
EXPLOITING SESSION COOKIE

Username + password
Web Trusted
User
browser site

Step 1: When the user points the browser


to the Trusted site, he is asked to log on

21

EXAMPLE ...

Browser cookie Trusted


Web
User
browser site

Step 2: Trusted site registers that the


user is logged in and sets a session cookie
containing a session identifier in the Web
browser
22
EXAMPLE ...

Web Malicious Web page


Web
User browser
page
Cookie for Trusted site

Trusted
Step 3: User visits attacker- site
controlled site and downloads
Web page with malicious code

23

EXAMPLE ...

Step 4: Browser renders malicious


Web page and generates request to
Attacking
Trusted site. Browser automatically site
adds session cookie to request.

Malicious request
Web Trusted
User
page site

24
DISCUSSION

CSRF is successful because the browser


automatically adds the session cookie to
the request
Other possible attacks can exploit stored
passwords or (semi-) permanent cookies
in the browser

25

SSL DOESN’T PREVENT ATTACK

SSL session
Web Trusted
User
browser site

CSRF is possible because the SSL session


Attacking is only linked to the browser
site
Note that the user’s browser must access
the attacking site while the SSL session is
active
26
CSRF ATTACK VECTORS

ATTACK VECTORS

User must be “logged into” Trusted site and visit


Attacking site
If Trusted site accepts GET requests, then the
<img> tag can be used to generate a malicious
request
If Trusted site only accepts POST requests, then
it is necessary to use a JavaScript to generate
a malicious request

28
ATTACK VECTORS ...

Can initiate a CSRF by sending a victim an


e-mail with a link to a malicious Web page
Also possible to post malicious code to an
online discussion forum to start an attack
when a victim reads the posting

29

OBSERVATION

All applications, routers, switches, firewalls, etc.


whose user authentication satisfies one of the
following criteria are vulnerable to CSRF
No user authentication
Authentication based on pre-set values

Implicit authentication automatically


administered by browser

30
COUNTERMEASURES

SERVER-SIDE DEFENSE

1. Allow a GET request to only retrieve data, not


modify data on the server

This protects sites from CSRF using <img>


tags or other types of GET requests
Recommendation follows RFC 2616

32
SERVER-SIDE DEFENSE ...

2. Require all POST requests to include a pseudo-


random value
Cryptographically strong value should be set as
a cookie in the user’s browser and be included
in every form submitted to the server
The server should only accept POST request if
the random values in the cookie and the form
are equal
Attacker doesn’t have access to cookie
33

SERVER-SIDE DEFENSE ...

In order to allow a user to have multiple forms


open on a site, the random value should be used
by all forms during a certain amount of time

34
CLIENT-SIDE DEFENSES

Log out immediately after a task has been completed

Do not start other tasks while a sensitive task is


performed
Never store usernames/password in browser

35

CONCLUSION
SIGNIFICANT PROBLEM

Numerous Web sites seem to be vulnerable to CSRF


Only standard programming techniques are needed
to implement attacks
Consequently, CSRF is a significant problem that all
developers need to take seriously

37

SOURCE

W. Zeller and E. W. Felten, “Cross-Site Request


Forgeries: Exploitation and Prevention,” Technical
Report, Princeton University, 2008;
www.freedom-to-tinker.com/sites/
default/files/csrf.pdf

38

You might also like