Skip to main content

CSRF - Cross Site Request Fogery


Cross-site request forgery (CSRF) is an attack where the legitimate user trapped by an unauthorized user to perform an unintended task to a website where they are authenticated.

Since HTTP is a stateless protocol, cookies are used to validate the request agent. Once the user login to a website, it will not require to type the username and password for each attempt. Hence, for the server to identify the user, the server generates a session identifier and sends it as a set-cookie header to the client browser with the very first response. The cookie set by the server will be saved in the client browser and, the cookie will be sent along with every request made to the server (Where the domain and path are matched). However, the server does not check any other attribute but session identifier. Although the request is made from another client, the website only verifies whether the requesting user is already authenticated or not, using a cookie.


For example, if a person logged in to a banking site, they are authenticated and will be sent a cookie. On the other side, an attacker can create a website that has a nice interface that programmed to perform a malicious task. Not only through a website, but also an attacker can trap a user by sending a mail with the attached malicious link or share the link to any social media sites where users encourage to try it. 
The website can have a form with hidden fields, but the site shows fewer that seems legitimate. 
<body onload="document.forms[0].submit()">
   <form action="http://netbank.com/transfer.do" method="POST">
     <input type="hidden" name="acct" value="AttackerA"/>
     <input type="hidden" name="amount" value="$100"/>
     <input type="submit" value="View my pictures!"/>
   </form>
 </body>

The above example, code is implemented to transfer the amount of money to the attacker account without the user’s knowledge. But the website only displays a button with the text says, “View my picture.” If the user clicks on this button, the request is sent from the user’s browser. The request will be sent with a session cookie stored in the browser. Also, the server will accept the request and complete the function above without hesitation. Moreover, an attacker can gain access over the account using a CSRF attack.
To overcome this kind of vulnerability, a unique value for each client session is used. This type of unique value is called the CSRF token. Those tokens are random cryptographic values that are generated when a session is started for a particular user. Each form in the website has token within the message body as a hidden field. 

If the above attack scenario occurs, the form which is sent by the attacker to the legitimate doesn’t have any token value to verify or the token value that the attacker sent along with the form won't be matched. Because CSRF token value is unique to each session and the attacker is not aware of the token of the legitimate user.

There are two types of CSRF protection methods that are commonly used today.
  1.     Synchronizer token pattern
  2.     Double submit cookie 

 These two protection implementations generate CSRF token and validate the token against the session id. 

Comments

Post a Comment

Popular posts from this blog

Cyber Chef - Bake your data!

The cyber chef is a security tool which uses for encoding, decoding, encrypting and data analytics. It is available on GitHub ( https://gchq.github.io/CyberChef/ )  and provides services from simple encoding process to complex encryption process. It was implemented for the British government as a  part of MI5 and MI6 project. However, now it can be used by both technical and non-technical personnel without the knowledge of algorithms. The cyber chef is a freely available web application that can be used online. The offline version is also available to download. The cyber chef has some features to complete conversion tasks. Input –  Where to paste or write text that wanted to convert. Up to 500mb file can be dragged to the input field. Output – Where converted text is displayed. Recipe – where tools used for converting are dragged and dropped. Operations – Contain all the operations. These operations covert input text into selected form and display in output filed.
Post a Comment
Read more

Change Language in Google Account

When we create an email address, sometimes we do not consider the language preferences. Afterward, when we log in to a google account, context will be shown as unfamiliar. So we can change the language preferences of google account by following steps.  1.  Click on the Google profile and select google account 2.  Select data & personalization settings. 3. Scroll down and go to general preferences for the web. And click language. 4. If you need to change the default language, click on the pen sign. 5. If you want to add more languages, click on add other languages.
Post a Comment
Read more

Exploit Windows 2000 machine using the Metaspolit framework from the Kali Linux machine.

Exploit Windows 2000 machine using the Metaspolit framework from the Kali Linux machine. When the windows 2000 the machine came for public use, many vulnerabilities were identified. This was caused by the number of vulnerabilities in IIS services. Many attacks came from remote sources through the internet and there were critical flaws due to the vulnerable encryption methods. From this article how the vulnerabilities of windows would be identified using Nessus, and exploit it using Metasploit in kali machine will be described. To do it I am using my main operating system (OS) kali and virtual machine windows 2000. For that IP range of both machines should be in the same range to ensure those are in the same network. Therefore network setting was fix as bridge adaptor in windows virtual machine. Check IP of kali using ifconfig Check IP of windows using ipconfig Then Nessus vulnerability s
Post a Comment
Read more