Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

It seems like I understand CSRF incorrectly?

Tags:

csrf

After reading many documents regarding CSRF, I'm still a little bit confused. So I hope someone can please explain it to me:

  1. Lets say if I have a profile page which is for authenticated users only, say abc.com/profile which shows me all my private info. If I logged in, then go to a "bad" site, can this site somehow get and parse my profile page? (I did a little experience by opening up the firebug console on a different site, then request my profile page, and it seems like at least I can see the whole content in "response" of the "Net" tab, haven't figured out how to get this content and parse it yet though. But perhaps it's possible?)

  2. Now assume that I have on my profile page a form, which of course has csrf token. Now if an attacker could get my profule page, he could just parse that content, get the token then submit a fake form?

  3. Now assume that 1 and 2 are correct, what should I do to prevent such cases from happening?

like image 249
mr1031011 Avatar asked Sep 01 '11 18:09

mr1031011


People also ask

Why is CSRF difficult to detect?

The indirect nature of CSRF makes it difficult to catch. The apparent validity of CSRF traffic makes is difficult to block. Web developers must protect their sites by applying measures beyond authenticating the user. After all, the forged request originates from the user even if the user isn't aware of it.

What is a CSRF failure?

The “Invalid or missing CSRF token” message means that your browser couldn't create a secure cookie or couldn't access that cookie to authorize your login. This can be caused by ad- or script-blocking plugins or extensions and the browser itself if it's not allowed to set cookies.

How serious is CSRF?

Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. A successful CSRF attack can be devastating for both the business and user.

Is CSRF a vulnerability?

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.


3 Answers

Your points aren't quite right... But take this scenario.

Example Attack


Imagine that a user is logged into The Official Bank of Fake Country - GoodBank.com and has a balance of 1,000,000 gold.

On MaliciousSite.com, there is an <img> or some other generic JavaScript that causes you to make a request to GoodBank.com.

The <img> has a src of http://www.goodbank.com/account/transfer.php?amount=10000&sentTo=malicioususer.


Now this site has made a request under your user account and has caused you to invoke a page which you would not have otherwise.

Now, you might be thinking that you can protect against this by using only POST, but these are not secure either. The correct way is to use CSRF tokens in your forms, and when a form is submitted, you should check that the CSRF token that you receive is the same as with what was issued.

Do not use these measures to protect yourself:

  • Secret Cookies
  • Only accepting POST requests
  • Multi-page forms
  • URL rewriting

Instead use a token like this:

<form action="/transfer.do" method="post">
  <input type="hidden" name="CSRFToken" value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZjMTVi
  MGYwMGEwOA==">
  …
  </form>

View here for great explaination: CSRF Cheat Sheet

like image 151
Layke Avatar answered Nov 08 '22 16:11

Layke


Your first point is not correct.
You cannot read content from a different domain on the client.

Therefore, a hostile site cannot read the CSRF token.

You can send requests to a different domain (which is what CSRF attacks do), but you can't read the responses.

like image 37
SLaks Avatar answered Nov 08 '22 17:11

SLaks


This may not be directly related to the question asked but need to point out that cross site scripting attacks can open doors for CSRF. Even token based solutions used to prevent CSRF can be compromised by XSS.

Take the following scenario.

Form used to update user info.

<script>
...
var userID=getUserId();//method makes AJAX call to get user ID
...
</script>
...
<form name="UpdateUserProfile">
   <input type='hidden' id='userId' value='userID_attacker_cannot_guess'>
   <input type='hidden' id='userName' value='goodUser'>
   <input type='hidden' id='email' value='[email protected]'>
    ...
 </form>

Assuming that the user Id is unique and can not be guessed easily, we can prevent CRSF without a token.(Attacker request will not be able to have the right user ID).

But if the attacker can read the value of userID using XSS attack, he can then craft the forged request to include the correct user ID.

Although XSS is not needed for CSRF attacks, it will make it easier.

Check the following resources.

Cross-Site Request Forgery (CSRF)-OWASP

Cross-site Scripting (XSS)-OWASP

like image 28
user624558 Avatar answered Nov 08 '22 18:11

user624558