Cross-Site Request Forgery (CSRF) Attack

3.1 Task 1: Observing HTTP Request.

Elgg’s countermeasure
against CSRF attacks
URL of Elgg’s add-friend which are disabled.
request. UserID of the user
to be added to the friend list
is used. Here, Alice’s
UserID (GUID) is 44

Session cookie which

is unique for each user.
It is automatically sent
by browsers
3.2 Task 2: CSRF Attack using GET Request
The img tag will trigger an HTTP GET request. When browsers render a web page and sees an
img tag, it sends an HTTP GET request to the URL specified in the src attribute.

To do this

1- We go to the files > computer > var > www > CSRF > Attacker.
We found the folder empty right click on muse then open in terminal.
2- Type the command sudo gedit CSRFlabattcker.html (name of file).

The attacker use add-friend URL along with friend parameter. The size of the image is very
small so that the victim is not suspicious. We already put the web page is placed in the malicious
website www.csrflabattacker.com (inside the /var/www/CSRF/Attacker folder ).
Now from Boby's profile we put the link in his Blogs.

Now we will login from Alic's profile and click the link

The result Alice became friend for Boby.

3.3 Task 3: CSRF Attack using POST Request
To do this

1- We go to the files > computer > var > www > CSRF > Attacker.
We found the folder empty right click on muse then open in terminal.

2- Type the command sudo gedit post.html (name of file).

Now from Boby's profile we put the link in his Blogs.

Now we will login from Alic's profile. After that click the link.
• Question 1: The forged HTTP request needs Alice’s user id (guid) to work
properly. If Boby targets Alice specifically, before the attack, he can find ways to
get Alice’s user id. Boby does not know Alice’s Elgg password, so he cannot log
into Alice’s account to get the information. Please describe how Boby can solve
this problem.
Because Alice's account is public, he can visit her account and access it. Through the
browser, by clicking the right button on the mouse choose to inspect and do a search for a guid,
and he will find her account from the code inside Alice's account.
• Question 2: If Boby would like to launch the attack to anybody who visits his
malicious web page. In this case, he does not know who is visiting the web page
beforehand. Can he still launch the CSRF attack to modify the victim’s Elgg
profile? Please explain.
No, we cannot launch the CSRF attack, as we need to have the GUID of the victim.
Otherwise, we would not know to construct the target URL to forge the request.

Since the data must be sent, we use a POST request for this attack. This is a cross-site
request spoofing attack where a POST request is used to modify the contents of the victim's
profile. Here we have trusted website www.csrflabelgg.com, user logged in trusted website and
malicious website www.csrflabattacker.com created.
So first, Boby has to find the victim's ID so that he can modify the contents of that profile.
Then it has to generate a url so it can generate a POST request that modifies the victim's profile.
It creates a webpage that sends a POST request to the server, which recreates the profile page
submission form with changing the contents. This webpage is sent as blog contents. Therefore,
when the victim clicks on the link, the contents of the profile are changed. Here a request is sent
from the malicious site to the Elgg site posing as the victim. This is a counterfeit request via the
site. For Elgg, the request appears as if the victim is the one trying to edit their own page.
So this attack cannot be launched with anyone visiting its malicious web page because
each user's user id is different and only when the user id of the logged in user and the user id
specified on the web page match, can the attack be successful. The attack occurs if the user id
specified in the web page has an active session with elgg and visit that web page and by changing
that user id we can perform the attack on other users as well.
3.4 Task 4: Implementing a countermeasure for Elgg

We make comment out the "return true;"

Now, I will try the CSRF attack again by clicking on the link in Boby's account. It doesn't
execute the request and give message "this page forges…….etc." As shown in the picture.
 Observation: I tried to perform the attack again with the countermeasure turned on, but
it failed. We modified the code and added the values to fields elgg_token and timestamp, that
time when we click on the link, our attack is still not successful. We can see that the description
is not modified.

Explanation: The counter measure is to send two fields, timestamp and a unique token along with
each request. When the countermeasure is turned on, it compares these values. It compares and
checks if these values are valid in the current valid session with the user. The secret token
validation fails if we perform the attack when the countermeasure is turned on because it
identifies it as a cross site request and not a request from the user.