Quick note -- Okay, this is my first article so please bare with me. I still have so much to learn about computer security (I'm only just 16) so any suggestions or false information noticed should be placed in a comment or PM'd to me, thanks =]
In this article I will be explaining what a CSRF attack is and how it can be used at a basic level.
Basics
CSRF stands for Cross-Site Request Forgery. An CSRF attack is an action upon a web application by an authenticated user. However, the user is unaware that he/she has performed this action.
There is more than one way of performing the attack.
Conditions
1. The user is logged in at the time of attack.
2. The user actually visits the attacker's page whilst logged in.
3. The attacker must know EXACTLY what data the target server expects to be passed in order to construct a malicious URL.
Constructing the malicious URL
Let's say that this URL, when clicked after logging into a bank system, transfers 100 pounds into Bob's account:
http://www.bank.com/moneytransfer.jsp?command=transfer&destinationuser=Bob&src=mysavings&amount=100
You'll notice that the value of destination user has been changed to the attacker (who would have an account on this site) and the value has been changed to 10,000.
This is the example URL I will be using throughout the article.
NB: There is probably no bank server in existence who's security is this basic, I am only using this as an example.
Clicking on the link by an authenticated use on the bank server WHILST HE/SHE IS LOGGED IN will result in 10,000 pounds being transfered to the attacker's account.
Example for Method 2:
Here is an example using the tags to be used to store in a field that accepts HTML:
CODE :
This could be placed inside a guestbook and when the 'image' loads, the request will be made to the server.
Example (real world):
The infamous MySpace attack used both XSS and CSRF to analyse and send a friend request to anyone who was viewing the page containing the attack, it also spread to their friends list and so on. Due to the friends list being so enormous, the MySpace server was temporarily crashed.
Conclusion
There a few conclusions that can be drawn from this article:
1. That CSRF is based mainly on social engineering (in order to actually get the user to visit the page, click the malicious link needed to carry out the attack).
2. When CSRF is successful, it can be devastating.
3. When hidden in or using .htaccess, the CSRF is executed without the user's knowledge.
-- Thank you for taking the time to read this article, I hope it will be one of many. Constructive criticism is encouraged as I still have so much to learn =]
Pyr0
Cast your vote on this article *Note: the order of the votes has been reversed.
Comments: Published: 24 comments.
By: vicarious - 05:34 am Wednesday September 19th, 2007
Few mistakes i noticed still, but i cleared them up...again
9/10
By: lordofwhee - 08:27 am Wednesday September 19th, 2007
Only one grammatical error (using "an" before "CSRF"), but other than that, it reminded me of an attack I had forgotten about.
9/10
MOD EDIT: Cheers, fixed.
By: mshamsuddeen2 - 11:33 pm Wednesday September 19th, 2007
Great article, nice crystallization
By: nos_slived - 01:11 am Thursday September 20th, 2007
Decent article, but a few points regarding the preface.
It's your first article, good for you, are we supposed to care? People always think that we should excuse errors because it's their first article. Last time I checked, your knowledge pertaining to the subject wasn't affected by your article writing experience. Don't get me wrong, it's always good to see new people getting involved, especially when they're submitting an article that isn't identical to three others submitted in the ten days prior. It's simply not something that should be brought up; after all, you don't walk in to your first corporate board meeting and tell everybody that it's a new experience for you.
Mentioning your age. This is one of the less personal reasons that I don't spend much time reading the forums anymore. Time and time again we would see people asking if they were too young to start "hacking". And yes, in a lot of cases, people were too young, but not because they were legally 13, 16, 18, or <insert number here>. They were too young mentally. If they came to the forums saying that they were 17 and wanted to hack their friend's Myspace account, it usually portrayed the maturity of a 10-year-old. In the same sense, I've seen kids who haven't hit puberty manage to do great, because they were mature enough to understand what the purpose of this community really was. I guess what I'm trying to get at is that you're 16. Okay...
By: nos_slived - 01:13 am Thursday September 20th, 2007
<Double Post due to message length limit>
That has nothing to do with the extent of your knowledge on CSRF attacks, because it doesn't limit how much dedication you're willing to put in to educating yourself, which is one of the fundamental principles of hacking. Your profile is proof enough that you are mature enough to be here, age isn't an excuse.
My final point of criticism ties in with the above. Pointing out the possibility of false information. If you aren't confident that you know what you're talking about, you shouldn't be submitting that information in the article until you do further research to either confirm or deny what you thought you knew.
Keep in mind, I'm not trying to be rude with my criticism. It is just a few points that you should consider when you post your next article. All that said, I want to point out that I'm giving this article a good rating, which I haven't given to many recent articles.
By: vicarious - 05:11 am Thursday September 20th, 2007
"It's your first article, good for you, are we supposed to care? People always think that we should excuse errors because it's their first article."
Well considering every time someone submits an article for the first time, they are proud of it and just want to show it. It's not for a fact saying 'don't mind my errors'. I sure care that it's his first article, that won't change my vote - nor anyone elses.
By: Death_metal - 02:15 pm Thursday September 20th, 2007
nos_slived do you feel better now,were you attempting to break his confidence,as I can see no help too your post or purpose other then to put this guy down what was the point of it?
By: nos_slived - 12:15 am Saturday September 22nd, 2007
Hey guys, I have a joke. There once was a guy who had been in the community for more than two years. Then more than a year later, two more guys joined the community, and are now approaching the eight month mark of their membership. The first member has spent two years reading much of the same shit repeated times, with slightly different wording each time. Then along comes a fourth guy to join the community. He is wise, and shares his knowledge in the form of an article, making few mistakes, save for the classic preface that makes it like other articles, most of which are far from the quality of his. After recognizing this, the first guy points out the mistakes to the article creator, in hopes that he will acknowledge the points brought up, and decide to omit this preface upon creation of his next article. Many community members, older community members, who have seen this in the past will recognize that this new member has enough confidence to post an article without making excuses for errors, and rather fixing any errors that may exist prior to submission.
Meanwhile, the second and third members to join the community fail to see the difference made in the quality of an article when this preface is omitted. Despite the fact that the first member stated that his vote will be swayed, and that he was not trying to break the confidence of the fourth member, the second and third members still manage to look right through it and turn on the first member.
Now wasn't that a knee-slapper!
By: Static-Oblivion - 07:56 am Saturday September 22nd, 2007
Ok ok man I hear you I just felt bad for the guy,but I'll give you your credit due on a very valid point.It is old and also yes I have seen this rewritten like 5 times.
By: ThePrankster - 09:36 am Friday September 28th, 2007
riiiiiiiiiiiiight. well this is my first article i have seen on this site, so its new to me =D
By: kings_bdcom - 02:24 am Tuesday October 02nd, 2007
i am 14 years old and i want to learn me how to hack.. Can you give me some tips like what for programm i should download, Linux or windows. send me a message plz
By: thetrojan01 - 02:40 pm Wednesday October 03rd, 2007
it's too never early to start! I am 12 and I started when i was 10,5! and my first hacking-training web site was... Hackthissite.org! :)
By: haxor_pyro - 04:39 am Friday October 05th, 2007
yer i been going on and off since about 12 but really started getting commited quite recently =]]
Pyr0
Since this has become a place for telling your age, I am 15 myself too! I liked the article, but I think this kind of attak is lame! Still, I give you a 10 for the article!
as for sikki's comment "i am 14 years old and i want to learn me how to hack.. Can you give me some tips like what for programm i should download, Linux or windows. send me a message plz", YOU ARE NOT A HACKER IF YOU USE LINUX, YOU ARE NOT A HACKER IF YOU DOWNLOAD SOME PROGRAMS! GO READ, LEARN ABOUT HACKING, DO THE CHALLENGES, ETC! IF I USE LINUX, I DO NOT USE BECAUSE I THINK AM A HACKER! I USE IT BECAUSE IT SUITS MY NEEDS FOR COMPUTING!
I like it quite a lot pretty simple though you didn't mention that you can change the obscure the URL to the IP of the site if it shows what the site's name is (I don't think anyone would go to: http://www.bank.com/moneytransfer.jsp?command=transfer&destinationuser=Attac ker&src=mysavings&amount=10000) Also just an idea if you set up a 3 way redirection as in tell some one to go to safesite.com but actually you've hacked or own the site then place a redirection to the site with the malacious URL. Also if it was a guestbook or something of the like that was vulnerable to XSS you could type <script>document.location='badsite.com'</script> Then quickly press esc and everyone should theoretically be redirected. Just a thought other than that 8/10
<script>alert('XSS ;D')</script>
This site is the collective work of the
HackThisSite staff. Please don't reproduce in part or whole without permission.
Page Generated: Mon, 08 Sep 2008 01:26:23 -0500 Exec:
11
