Dashboard
Courses
Logout

NAME

Course Overview

/

CSRF

Cross-Site Request Forgery

Cross-Site Request Forgery is an attack that forces users to execute an action on a website they are currently authenticated to.  When applications rely on cookies for session handling and have predictable actions that can be triggered by an attacker, it is possible to achieve CSRF (Cross-Site Request Forgery).  

For CSRF to be successful there are few variables that need to be in place:

  • Cookie-based sessions: Successfully completing the attack requires one or more HTTP requests, and for the application to only use session cookies to identify the user who has made the requests
  • No unpredictable request parameters: The requests that execute the action do not contain any parameters that the attacker cannot determine or guess. For example, when causing a user to update their password, the function and overall attack vector is not vulnerable if an attacker needs to know the value of the existing password
  • Know Action: The know action refers to the attacker knowing what the application can do and has identified an action to abuse/exploit

See below for a HTTP request that would be suitable for a CSRF attack. The request is a user attempting to update their email address:

POST /account/changes HTTP/1.1

Host: northgreensecurity-insecure.com

Content-Type: application/x-www-form-urlencoded

Content-Length: 30

Cookie: session= yvthwsztyedfghdfghPzghjfgyiuHNFjg

email=ted@iamvictim.com

The request meets the requirements previously mentioned, as it  includes:

  • An action of changing the user’s email address
  • The sole use of session cookie to keep track of the user
  • Easily guessable/determined values of the request parameter

To exploit CSRF a malicious webpage is needed, when the victim user visits this page it will trigger the email change function. See below for a malicious webpage created from HTML:

<html>

 <body>

   <form action="https:// northgreensecurity-insecure-wesbite.com/account/changes " method="POST">

     <input type="hidden" name="email" value="hack@csrfPoC.com" />

   </form>

   <script>

     document.forms[0].submit();

   </script>

 </body>

</html>

When a user visits the malicious webpage, the following actions would occur:

  • Once visited, the malicious webpage would cause a legitimate request to the vulnerable site
  • The session cookie of the victim user would be stolen and would be used within the attackers browser