Cross-Site Request Forgery (CSRF, pronounce "sea-surf") is a common web exploit. However, for unknown reasons it's not used very often. It plays on a given website's trust in a web browser by executing another website's form action, for example, sending money to another person. It's usually placed in abnormal places like HTML image tags.
A website will automatically load the form action from the other site if the users cookies are still active, because it's placed in a tag that loads its content when the page is loaded. This is a very undesired outcome!
In this Null Byte, we're going to see exactly how these attacks work and how we can prevent them in code, as well as on the user-end to stop them from being used on you.
Step 1 Set the Stage
For this attack to work you need a website that allows HTML. To find this out, try to craft an HTML link on a post or private message somewhere with the following code.
<a href="www.google.com" rel="nofollow" target="_blank" >google</a>
If you get a clickable link like this, then you've done it correctly and the site does allow HTML. However, for this to work a site must not check for HTTP referer headers.
The user being targeted for this form of CSRF must be logged into the site we are forging a request from.
Step 2 Execution
An attacker needs to make sure the user is logged into the target site. Next, a form action needs to be found that initiates a certain action, one that can be manipulated. Search a page source or test submit forms until you find something like this:
http://www.somebank.com/moneysend?from=alex&amount=100&for=nullbyte
You can manipulate it to send more money, like so:
http://www.somebank.com/moneysend?from=alex&amount=999999&for=nullbyte
To deploy this attack, we just toss this forged link into an image tag.
<img src="http://www.somebank.com/moneysend?from=alex&amount=9999999&for=nullbyte">
This attack vector will load whenever the attack target views the page with the spoofed image tag on it. So just post the code to any old site that allows HTML and it will work.
But what if they have filter protection? Well, you can use anonymous redirect services or find an XSS exploit to open a new page with JavaScript, which will bypass any redirect filters. This is a very dangerous attack.
Prevention Measures
- Use NoScript. It will block XSS and other cross-site attacks.
- Disable automatic image loading in your browser.
- Only use sites that you trust. However, this only increases your chances of being safe. YouTube has CSRF vulnerabilities on literally every action a user can perform on the site.
Come say hello to the Null Byte crew! We're starting to get a lot of new members in IRC, you should join us!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
5 Comments
Uh oh...I thought Youtube was safe to use! So just clicking on a video could initiate an attack? I have noticed that Kaspersky blocks some ads and images on certain websites, citing a hidden dangerous URL.
Well, you're safe ON YouTube, you're just not safe on other websites, because it's easy to forge fake page requests from someone. So, someone could be signed into their gmail, and click a bad link on www.example-site.com, and it could delete users, change passwords etc on YouTube.
Interesting! I think it is time to switch back to Firefox (from Chrome), i feel like the NoScript Extension is a must...
Use this.
wow thanx! looks better also ;)
Share Your Thoughts