Wednesday, October 05, 2011

Cross-Site Request Forgery explained

A Cross-site Request Forgery, aka CSRF or one-click attack, is a diffused security issue issue where unathorized commands are sent from the user's browser to a web site or a web application. CSRF is different from Cross-Site Scripting in the sense that it does not need to inject code into trusted pages, but can work from untrusted ones thanks to the open architecture of the web.

A quick example

I was browsing the bug tracker of a popular web service to propose an improvement, where I saw that the only Critical ticket was related to CSRF vulnerabilities.

The website uses links for the deletion of the current user's data, such as /delete_my_items. When a user follows the link present on his account page, his session cookie establish his identity and his data is deleted.

To perform an attack, we only have to make the user load this URL. A simple link would probably not work, but we can easily reach the same goal with an image:

<img src="" />

We just have to provide a link to a page containing this image for the user, or send it to him in an HTML email.

How it works

Unlike for XMLHttpRequest, images and other resources can be loaded from whatever hostname, and even if the image tag is hosted on a different website it won't matter.

Since the request is performed by the user's browser, it will transmit the session cookie as it would for any page.

The point of all CSRF attacks is tricking the browser into sending an unwanted HTTP request, so that there is no need to steal the identity of the user. That's probably why our banks log us out after 2 minutes of inactivity, or require one-time tokens to authorize money transfers.

Read more: Web Builder Zone
QR: cross-site-request-forgery

Posted via email from Jasper-Net