How Hackers Steal Your Cash on Trusted Sites & How to Prevent Against It

Oct 19, 2011 07:30 PM

Cross-Site Request Forgery (CSRF, pronounce "sea-surf") is a common web exploit. However, for unknown reasons it's not used very often. It plays on a given website's trust in a web browser by executing another website's form action, for example, sending money to another person. It's usually placed in abnormal places like HTML image tags.

A website will automatically load the form action from the other site if the users cookies are still active, because it's placed in a tag that loads its content when the page is loaded. This is a very undesired outcome!

In this Null Byte, we're going to see exactly how these attacks work and how we can prevent them in code, as well as on the user-end to stop them from being used on you.

Set the Stage

For this attack to work you need a website that allows HTML. To find this out, try to craft an HTML link on a post or private message somewhere with the following code.

google

If you get a clickable link like this, then you've done it correctly and the site does allow HTML. However, for this to work a site must not check for HTTP referer headers.

The user being targeted for this form of CSRF must be logged into the site we are forging a request from.

Execution

An attacker needs to make sure the user is logged into the target site. Next, a form action needs to be found that initiates a certain action, one that can be manipulated. Search a page source or test submit forms until you find something like this:

http://www.somebank.com/moneysend?from=alex&amount=100&for=nullbyte

You can manipulate it to send more money, like so:

http://www.somebank.com/moneysend?from=alex&amount=999999&for=nullbyte

To deploy this attack, we just toss this forged link into an image tag.



This attack vector will load whenever the attack target views the page with the spoofed image tag on it. So just post the code to any old site that allows HTML and it will work.

But what if they have filter protection? Well, you can use anonymous redirect services or find an XSS exploit to open a new page with JavaScript, which will bypass any redirect filters. This is a very dangerous attack.

Prevention Measures

  • Use NoScript. It will block XSS and other cross-site attacks.
  • Disable automatic image loading in your browser.
  • Only use sites that you trust. However, this only increases your chances of being safe. YouTube has CSRF vulnerabilities on literally every action a user can perform on the site.

Come say hello to the Null Byte crew! We're starting to get a lot of new members in IRC, you should join us!

Photo via Dr. Jays

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!