Cross-Site Request Forgery (CSRF, pronounce "sea-surf") is a common web exploit. However, for unknown reasons it's not used very often. It plays on a given website's trust in a web browser by executing another website's form action, for example, sending money to another person. It's usually placed in abnormal places like HTML image tags.
A website will automatically load the form action from the other site if the users cookies are still active, because it's placed in a tag that loads its content when the page is loaded. This is a very undesired outcome!
In this Null Byte, we're going to see exactly how these attacks work and how we can prevent them in code, as well as on the user-end to stop them from being used on you.
Set the Stage
For this attack to work you need a website that allows HTML. To find this out, try to craft an HTML link on a post or private message somewhere with the following code.
If you get a clickable link like this, then you've done it correctly and the site does allow HTML. However, for this to work a site must not check for HTTP referer headers.
The user being targeted for this form of CSRF must be logged into the site we are forging a request from.
Execution
An attacker needs to make sure the user is logged into the target site. Next, a form action needs to be found that initiates a certain action, one that can be manipulated. Search a page source or test submit forms until you find something like this:
http://www.somebank.com/moneysend?from=alex&amount=100&for=nullbyte
You can manipulate it to send more money, like so:
http://www.somebank.com/moneysend?from=alex&amount=999999&for=nullbyte
To deploy this attack, we just toss this forged link into an image tag.
This attack vector will load whenever the attack target views the page with the spoofed image tag on it. So just post the code to any old site that allows HTML and it will work.
But what if they have filter protection? Well, you can use anonymous redirect services or find an XSS exploit to open a new page with JavaScript, which will bypass any redirect filters. This is a very dangerous attack.
Prevention Measures
- Use NoScript. It will block XSS and other cross-site attacks.
- Disable automatic image loading in your browser.
- Only use sites that you trust. However, this only increases your chances of being safe. YouTube has CSRF vulnerabilities on literally every action a user can perform on the site.
Come say hello to the Null Byte crew! We're starting to get a lot of new members in IRC, you should join us!
Photo via Dr. Jays
Comments
No Comments Exist
Be the first, drop a comment!