CROSS-SITE REQUEST FORGERY.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
So this is how the www.owasp.org describe Cross-Site Request Forgery (CSRF). Let's try to understand CSRF by simple real-world example. Focus on to following very simple web application.
This is a very simple implementation of f few pages. Assume that users can register on this website and maintain their accounts. After registration, they will get a username and password. (in this example there is only one user and username: user and password: pass).
Let's begin!
this is the sample and its running on localhost. So registered users can log in to the website using their credentials. (username: user and password: pass).
Now think a user logs in to the system using the username and password as shown in the picture. So the site will validate him and redirects his profile/account. Now the user is authenticated.
So in his account, there is an option to deactivate his account. By pressing deactivate button he can deactivate his account.
this site maintains a session and it will expire in five minutes. the Deactivate button will redirect the user to https://localhost/Normal/deactivate.php?Deactivate=true link. This is a state-changing request. So after sending this request the web server, the server (website) will check that whether the session is expired or not.if the session has not expired the users account will be permanently removed from the database and he will unable to log in to site his previous credentials.
Now think after logging the user opens another tab in web-browser and visits another website. (without log out from the site).Now, this is the moment that CSRF attacker becomes in handy. Think attacker also know about this website and he has recognized how the state change link works. So if he wants to deactivate the user account, only he has to send a request to https://localhost/Normal/deactivate.php?Deactivate=true from the user's browser when he authenticated and before the session expiration time. to complete his task attacker may try different approaches. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.
Also, the attacker can use his own website (attacker.com). So assume that the site user previously opened in is attacker.com
As shown in above picture user opens he attcker.con in a new tab. Now the attacker wants to forge the request so what if he does something like this.look at the next picture.
this. is the source code of attacker.com and we can see a state change link in injected to the page to load automatically when page loading. so when the user visits this site without his knowledge attacker.com will send an get request to https://localhost/Normal/deactivate.php?Deactivate=true link.
As previously mentioned session will expire in 5 minutes so now think if a user visits attacker .com before expiry time attacker.com sends the request to the server. So server doesn't recognize as this as a forgery request because still session is valid server thinks this is requested by user and server accept the request. So user account will be deleted permanently. So user know anything about this.and after some time when he tries to revisit to the previous site he will be get troubled. because without his knowing his account has been removed. Now he cants log using previous credentials. look at the image.
Now attackers attempt has been successful. So this is a basic demonstration of cross-site request forgery.
All the sample that we used in this post is upload in following link and anybody can try out them.
This is a very simple implementation of f few pages. Assume that users can register on this website and maintain their accounts. After registration, they will get a username and password. (in this example there is only one user and username: user and password: pass).
Let's begin!
this is the sample and its running on localhost. So registered users can log in to the website using their credentials. (username: user and password: pass).
Now think a user logs in to the system using the username and password as shown in the picture. So the site will validate him and redirects his profile/account. Now the user is authenticated.
So in his account, there is an option to deactivate his account. By pressing deactivate button he can deactivate his account.
this site maintains a session and it will expire in five minutes. the Deactivate button will redirect the user to https://localhost/Normal/deactivate.php?Deactivate=true link. This is a state-changing request. So after sending this request the web server, the server (website) will check that whether the session is expired or not.if the session has not expired the users account will be permanently removed from the database and he will unable to log in to site his previous credentials.
Now think after logging the user opens another tab in web-browser and visits another website. (without log out from the site).Now, this is the moment that CSRF attacker becomes in handy. Think attacker also know about this website and he has recognized how the state change link works. So if he wants to deactivate the user account, only he has to send a request to https://localhost/Normal/deactivate.php?Deactivate=true from the user's browser when he authenticated and before the session expiration time. to complete his task attacker may try different approaches. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.
Also, the attacker can use his own website (attacker.com). So assume that the site user previously opened in is attacker.com
As shown in above picture user opens he attcker.con in a new tab. Now the attacker wants to forge the request so what if he does something like this.look at the next picture.
this. is the source code of attacker.com and we can see a state change link in injected to the page to load automatically when page loading. so when the user visits this site without his knowledge attacker.com will send an get request to https://localhost/Normal/deactivate.php?Deactivate=true link.
As previously mentioned session will expire in 5 minutes so now think if a user visits attacker .com before expiry time attacker.com sends the request to the server. So server doesn't recognize as this as a forgery request because still session is valid server thinks this is requested by user and server accept the request. So user account will be deleted permanently. So user know anything about this.and after some time when he tries to revisit to the previous site he will be get troubled. because without his knowing his account has been removed. Now he cants log using previous credentials. look at the image.
Now attackers attempt has been successful. So this is a basic demonstration of cross-site request forgery.
All the sample that we used in this post is upload in following link and anybody can try out them.
Comments
Post a Comment