Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding CSRF

I don't understand how using a 'challenge token' would add any sort of prevention: what value should compared with what?

From OWASP:

In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires.

If I understand the process correctly, this is what happens.

I log in at http://example.com and a session/cookie is created containing this random token. Then, every form includes a hidden input also containing this random value from the session which is compared with the session/cookie upon form submission.

But what does that accomplish? Aren't you just taking session data, putting it in the page, and then comparing it with the exact same session data? Seems like circular reasoning. These articles keep talking about following the "same-origin policy" but that makes no sense, because all CSRF attacks ARE of the same origin as the user, just tricking the user into doing actions he/she didn't intend.

Is there any alternative other than appending the token to every single URL as a query string? Seems very ugly and impractical, and makes bookmarking harder for the user.

like image 637
Lotus Notes Avatar asked Apr 05 '10 22:04

Lotus Notes


People also ask

What is CSRF attack with example?

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer.

What is CSRF and how do you prevent it?

What Are CSRF Tokens. The most popular method to prevent Cross-site Request Forgery is to use a challenge token that is associated with a particular user and that is sent as a hidden value in every state-changing form in the web app.

Why do CSRF attacks happen?

An attacker can use CSRF to obtain the victim's private data via a special form of the attack, known as login CSRF. The attacker forces a non-authenticated user to log in to an account the attacker controls. If the victim does not realize this, they may add personal data—such as credit card information—to the account.

Is CSRF an injection attack?

August 28, 2021. Cross-site request forgery (CSRF) is the third massive security vulnerability in web applications after Cross-site scripting (XSS) and SQL injection (SQLi). XXS is a malicious code injection attack on a vulnerable web application that is executed when the user visits the app on a browser.


2 Answers

The attacker has no way to get the token. Therefore the requests won't take any effect.

I recommend this post from Gnucitizen. It has a pretty decent CSRF explanation: http://www.gnucitizen.org/blog/csrf-demystified/

like image 182
rogeriopvl Avatar answered Oct 29 '22 22:10

rogeriopvl


CSRF Explained with an analogy - Example:

Imagine you're opening your front door using a key - your key. nobody else has your key. You open the door – but before you go inside, your neighbour calls you over from across the road and you both have a very amicable conversation about the weather or perhaps President Trump’s latest 3.45 am tweets etc. While you are having this conversation, unbeknownst to you, somebody else sees you outside, and decides to impersonate you by wearing your same clothes and hair style and decides to go into your own house pretending to be you!

Nobody inside your house notices anything different - your wife is like, ‘oh crud*, he’s home’.

The impersonator helps himself to all of your money, and perhaps plays some Xbox on the way out and nobody is any wiser.

CSRF basically relies on the fact that you opened the door to your house and then left it open, allowing someone else to simply walk in and pretend to be you.

What is the way to solve this problem?

When you first open the door to your house, you are given a paper with a long and very random number written on it by your door man:

"ASDFLJWERLI2343234"

Now, if you wanna get into your own house, you have to present that piece of paper to the door man to get in.

So now when the impersonator tries to get into your house, the door man asks:

"What is the random number written on the paper?"

If the impersonator doesn't have the correct number, then he won't get in. Either that or he must guess the random number correctly - which is a very difficult task. What's worse is that the random number is valid for only 20 minutes (e.g). So know the impersonator must guess correctly, and not only that, he has only 20 minutes to get the right answer. That's way too much effort! So he gives up.

Granted, the analogy is a little strained, but I hope it is helpful to you.

**crud = (Create, Read, Updated Delete)

like image 44
BenKoshy Avatar answered Oct 29 '22 22:10

BenKoshy