CROSS-SITE REQUEST

FORGERIES
Kjell Jørgen Hole
NoWires Research Group
Department of informatics
University of Bergen

Last updated August 31, 2009

OVERVIEW

Cross-Site Request Forgery (CSRF) defined

Simplified CSRF example

CSRF and authentication

CSRF attack vectors

Countermeasures
Conclusion

2
 CSRF DEFINED

CSRF DEFINITION

CSRF occurs when a malicious Web site causes a

user’s Web browser to perform an unwanted action
on a trusted site
CSRF is also known as Cross-Site Reference attack,
One-Click attack, Sidejacking, or Session Riding

4
 CSRF ILLUSTRATED

Authenticated session Trusted site

Web
User
browser Trusted
action

The Web browser has established an

authenticated session with the Trusted site

Authenticated session Trusted site

Web
User
browser Trusted
action

The Web browser tries to perform a

trusted action initiated by the user

6
 CSRF: The Attacking site causes the browser to
send a request to the Trusted site. The attack is
possible because the Trusted site authenticates
the browser, not the user

Authenticated session Trusted site

Web
User
browser Trusted
action

Attacking
site

XXS VERSUS CSRF

Contrary to Cross-Site Scripting (XSS), which exploits

the trust a user has for a particular site, CSRF exploits
the trust that a site has for a particular user
It is not necessarily true that defenses against XSS also
protect against CSRF

8
 SIMPLIFIED CSRF EXAMPLE

E-MAIL SYSTEM EXAMPLE

We consider a fictitious e-mail system example.com

that allows users to send mail from their browsers

Client Server

User Web example.

browser
com

10
 HTML FORM IN BROWSER

To: [email protected]
Subject: CSRF Web page http://
Message: example.com/
compose.htm
When the user clicks “Send”
the e-mail is sent in a HTTP Contains a HTML
GET request form to send e-mail

Send
11

GET REQUEST

The HTML form causes a GET request to append the

form data to an URL:

http://example.com/send_email.htm?
to=bob%40example.com&subject=CSRF&
msg=When+the+user+...

The page send_mail.htm takes the URL data and

generates an e-mail to the recipient from the user

12
 VULNERABILITY!

The page send_mail.htm simply performs

actions with the received data
It does not care where the request originated
In fact, a user could manually type the
URL in the browser’s address bar

13

POSSIBLE ATTACK

If an attacker can force the user’s browser to send

a HTTP GET request to send_mail.htm, then
this page will send an e-mail on the user’s behalf
containing data chosen by the attacker

14
 ATTACK ILLUSTRATION

Request page
Web Web
User browser page

User causes browser to load

Web page from site controlled example.
by an attacker com

15

MALICIOUS WEB PAGE

<img src="http://example.com/send_email.htm?
<
to=mallory%40example.com&subject=Hi&msg=My
+ email+address+has+been+stolen">

Malicious Web pages uses HTML <img> tag to

send a fake e-mail
16
ATTACK ILLUSTRATION ...

Fake e-mail
Web example.
page com

Downloaded malicious Web

Malicious page generates fake e-mail
site

17

IMPORTANT OBSERVATION

The attack can typically carry out the same actions

as the user
Hence, the more power a site gives to a user, the
more serious are possible CSRFs

18
CSRF AND AUTHENTICATION

AUTHENTICATION
VULNERABILITIES

CSRF exploits the authentication mechanism,

or the lack of such a mechanism, at a Web site
Usually, the authentication only ensures that
a request is from the user’s browser, not that
the user actually initiated the request

20
 EXAMPLE:
EXPLOITING SESSION COOKIE

Username + password
Web Trusted
User
browser site

Step 1: When the user points the browser

to the Trusted site, he is asked to log on

21

EXAMPLE ...

Browser cookie Trusted

Web
User
browser site

Step 2: Trusted site registers that the

user is logged in and sets a session cookie
containing a session identifier in the Web
browser
22
 EXAMPLE ...

Web Malicious Web page

Web
User browser
page
Cookie for Trusted site

Trusted
Step 3: User visits attacker- site
controlled site and downloads
Web page with malicious code

23

EXAMPLE ...

Step 4: Browser renders malicious

Web page and generates request to
Attacking
Trusted site. Browser automatically site
adds session cookie to request.

Malicious request
Web Trusted
User
page site

24
 DISCUSSION

CSRF is successful because the browser

automatically adds the session cookie to
the request
Other possible attacks can exploit stored
passwords or (semi-) permanent cookies
in the browser

25

SSL DOESN’T PREVENT ATTACK

SSL session
Web Trusted
User
browser site

CSRF is possible because the SSL session

Attacking is only linked to the browser
site
Note that the user’s browser must access
the attacking site while the SSL session is
active
26
 CSRF ATTACK VECTORS

ATTACK VECTORS

User must be “logged into” Trusted site and visit

Attacking site
If Trusted site accepts GET requests, then the
<img> tag can be used to generate a malicious
request
If Trusted site only accepts POST requests, then
it is necessary to use a JavaScript to generate
a malicious request

28
 ATTACK VECTORS ...

Can initiate a CSRF by sending a victim an

e-mail with a link to a malicious Web page
Also possible to post malicious code to an
online discussion forum to start an attack
when a victim reads the posting

29

OBSERVATION

All applications, routers, switches, firewalls, etc.

whose user authentication satisfies one of the
following criteria are vulnerable to CSRF
No user authentication
Authentication based on pre-set values

Implicit authentication automatically

administered by browser

30
 COUNTERMEASURES

SERVER-SIDE DEFENSE

1. Allow a GET request to only retrieve data, not

modify data on the server

This protects sites from CSRF using <img>

tags or other types of GET requests
Recommendation follows RFC 2616

32
 SERVER-SIDE DEFENSE ...

2. Require all POST requests to include a pseudo-

random value
Cryptographically strong value should be set as
a cookie in the user’s browser and be included
in every form submitted to the server
The server should only accept POST request if
the random values in the cookie and the form
are equal
Attacker doesn’t have access to cookie
33

SERVER-SIDE DEFENSE ...

In order to allow a user to have multiple forms

open on a site, the random value should be used
by all forms during a certain amount of time

34
 CLIENT-SIDE DEFENSES

Log out immediately after a task has been completed

Do not start other tasks while a sensitive task is

performed
Never store usernames/password in browser

35

CONCLUSION
 SIGNIFICANT PROBLEM

Numerous Web sites seem to be vulnerable to CSRF

Only standard programming techniques are needed
to implement attacks
Consequently, CSRF is a significant problem that all
developers need to take seriously

37

SOURCE

W. Zeller and E. W. Felten, “Cross-Site Request

Forgeries: Exploitation and Prevention,” Technical
Report, Princeton University, 2008;
www.freedom-to-tinker.com/sites/
default/files/csrf.pdf

38