"No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or any other public emergency, may be invoked as a justification of torture." -- U.N. Convention Against Torture
For those of you not familiar with CSRF, it works like this:
Eve knows that Alice uses "www.mybank.com" for banking. Eve looks at mybank.com and notices that during money transfers, the url looks like "www.mybank.com/transfer.php?to='bob'&amount=100". Eve realizes that if Alice clicked on a link that looked like "www.mybank.com/transfer.php?to='eve'&amount=99999999999" then Eve would get $99999999999. But if Eve just sent a link to Alice, she would notice fast that she had just given a shitload of money to Eve. So instead, Eve sends Alice a image with this html: "<img src="www.mybank.com/transfer.php?to='eve'&amount=99999999999" alt="Oh noes, the image didn't load!" />".
Let's look at what happens from the browser's point of view:
1.) Oh, lookey, an image. I'll go to "www.mybank.com/transfer.php?to='eve'&amount=99999999999" to get it!
2.) Huh, mybank.com didn't return an image. I'll use the alt text.
3.) Render alt text.
Alice will see "Oh noes, the image didn't load!", while $99999999999 is sucked out of her account.
Most banks and social networks protect against CSRF now, so the danger *seems* small. Watch as I show you how it could get your internet service suspended, have lawsuits filed against you, and much, much more.
I'll start with another example...
Have you heard of Six Strikes? If not, read about it Here
Account suspension, Possible Lawsuits, nasty stuff.
Now let's say that Eve is mad at Alice. She decides to try another CSRF attack, but this time, her goal is to get Alice's ISP account suspended. Like last time, she could just send a link to "www.piratedcontent.com/download.php?file=piratedfile.avi", but that would be to obvious. She could use <IMG> tags, but she would need 6 broken images, and that might be a tipoff. So Eve makes a page on her website that has an interesting article on it. She also includes some <SCRIPT> tags that send off GET requests to "www.piratedcontent.com", changing what file it's getting every minute or so. She then sends a link to the page to Alice. Alice clicks on the link, and reads the article. Meanwhile, Alice's browser dutifully sends off requests to "www.piratedcontent.com". Alice's ISP logs that she is requesting pirated content, and starts giving out strikes.
I think I speak for everyone who has a bit of Web Dev experience when I say that I could make a site like that in about an hour at most. Scared yet? There's more. Downloading pirated content is just *one* of the fun things that you can do! Link farming? Check. Visiting n0rp sites? Check. Googling "how to make a bomb", "How to get past web filtering", or "n0rp"? Check.
That is the power of CSRF.
What can you do to protect yourself, you ask?
How long have you been reading this article?
Enough time for your browser to make a few get requests?
That is the power of CSRF.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 20 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.