CSRF (Cross Site Request Forgery) is an attack that can be performed by tricking the victim to submit a malicious request without his consent or knowledge. This attack will inherit the identity of the victim while performing an undesired function on the victim's behalf. It means that if victim is currently authenticated to the vulnerable website and has clicked a lame looking malicious link which is actually crafted to perform unwanted action on site, then in such case website will have no way to distinguish between a legitimate and the forged request.
These attacks mainly target those functionalities which causes a state change on the server, like updating user information, purchasing something etc. An attacker who crafted the malicious link doesn't get the response but the victim does that's why these attacks target state-changing requests.
Let's try to understand this attack with the help of an example.
Though there are different ways in which normal user can be tricked to execute unwanted action into a web application but for sake of simplicity we will study the easiest way of performing CSRF attacks. Now we have two users involved in this CSRF attack first one is Attacker and other one is Victim.
CSRF attack in GET scenario
Victim is using a bank website "www.bank.com" which has a GET method "Transfer" with following signature:
public Transfer(string acct, string amount);
In our example, if legitimate user Victim had to transfer money to his account he would obviously be using the website's user interface and would be initializing the request in following way.
http://bank.com/transfer.do?acct=Victim&amount=1000
Attacker who performs CSRF attack can use different methods to initiate the attack, but in context of GET scenario we will go through following three ways to do so.
- Attack using an email
- Attack using an invisible image tag
- Attack using a website controlled by Attacker
1. Attack using an email
Now suppose Attacker has the information about the signature of "Transfer" method and he wants to target attack on user Victim, he can create an email as follows and send it to Victim through an email. Please notice the parameter "acct" which is set to account name of Attacker as acct=Attacker.
<a href="http://bank.com/Transfer?acct=Attacker&amount=1000">Click here to find perfect partner!</a>
After receiving the above email Victim would be viewing only the text "Click here to find perfect partner!" which might get him interested on clicking it. One condition which must be fulfilled prior to this attack is that victim must be logged in to the bank website. Now just after user clicks on "Click here to find perfect partner!" link amount will get transfer to Attacker's account.
2. Attack using an invisible image tag
Unlike in previous example where user intervention is needed to execute unwanted action, it is also possible to submit the request without user's acknowledge like including 0x0 image tag in the mail content. After Victim open up the mail there will be a request fired in the background without any visual indication that the transfer has taken place.
<img src="http://bank.com/Transfer?acct=Attacker&amount=100000" width="0" height="0" border="0">
3. Attack using a website controlled by Attacker
For this case let's assume that Victim usually visits a site which is controlled by the Attacker. In any or most of the pages Attacker can add those malicious links either in the form of anchor tags or as 0x0 image tags. Now suppose Victim is logged in to the bank website and side by side he is browsing the website controlled by Attacker, in that case there are chances that he get trapped to the CSRF attack and may end up loosing money to Attacker.
CSRF attack in POST scenario
In this scenario Victim is using a bank website "www.bank.com" which has a POST method "Transfer" with following signature:
[HttpPost]
public Transfer(string acct, string amount);
One important point to note here is that attacker would not be able to hit this method using the techniques discussed earlier i.e, he wouldn't be able to access this POST method using anchor tag or 0x0 image tag. To successfully hit this POST method Attacker would need to initialize request within FORM tag.
Now Attacker who performs CSRF attack can use different methods to initiate the attack on POST methods, but we will go through following ways to do so.
- Attack using an email
- Attack using a website controlled by Attacker
1. Attack using an email
Like before this time also Attacker sends an email to Victim, but this time Attacker has crafted a malicious link "Click here to find perfect partner!" as the text of submit button which is inside the FORM tag. Hitting the submit button will send a POST request to the "http://bank.com/Transfer" method defined in action property of FORM tag. Values of hidden fields with name acct and amount will get assigned to the parameters of "Transfer" method.
<form action="http://bank.com/Transfer" method="POST">
<input type="hidden" name="acct" value="Attacker"/>
<input type="hidden" name="amount" value="1000"/>
<input type="submit" value="Click here to find perfect partner!"/>
</form>
After Victim opens this email he couldn't see anything except "Click here to find perfect partner!" and may fall into the trap by clicking the submit button which will eventually hit the POST method "Transfer" and sends amount value in the account of Attacker.
2. Attack performed using a website controlled by Attacker
For this case let's assume that Victim usually visits a site which is controlled by the Attacker and there are few pages which require user to press submit button like in case of updating profile information, adding comment and so on. Taking help of such pages, Attacker can also include POST request to the "Transfer" method. Like in the previous example, Attacker would also be using hidden fields for passing values of his choice to parameters of "Transfer" method.
0 Comment(s)