"No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or any other public emergency, may be invoked as a justification of torture." -- U.N. Convention Against Torture
Quick note -- Okay, this is my first article so please bare with me. I still have so much to learn about computer security (I'm only just 16) so any suggestions or false information noticed should be placed in a comment or PM'd to me, thanks =]
In this article I will be explaining what a CSRF attack is and how it can be used at a basic level.
CSRF stands for Cross-Site Request Forgery. An CSRF attack is an action upon a web application by an authenticated user. However, the user is unaware that he/she has performed this action.
There is more than one way of performing the attack.
1. The user is logged in at the time of attack.
2. The user actually visits the attacker's page whilst logged in.
3. The attacker must know EXACTLY what data the target server expects to be passed in order to construct a malicious URL.
Constructing the malicious URL
Let's say that this URL, when clicked after logging into a bank system, transfers 100 pounds into Bob's account:
You'll notice that the value of destination user has been changed to the attacker (who would have an account on this site) and the value has been changed to 10,000.
This is the example URL I will be using throughout the article.
NB: There is probably no bank server in existence who's security is this basic, I am only using this as an example.
Method 1 - Creating a link:
1. The attacker must first construct a malicious URL.
2. The attacker will then place the URL in, say, <a href=> tags to create a link containing the malicious URL.
3. The attacker may then post this link into guestbooks, email it to the user etc so that the victim clicks on the link and the URL is successfully processed.
Method 2 - Storing the attack on the site:
1. The attacker will use the malicious URL constructed in Method 1.
2. They will place this in, say, <img> tags.
3. The attacker will then store the attack in a field that accepts HTML (for example, a guestbook [I'm not suggesting all guestbooks are vulnerable to this though])
4. When the victim/user visits this page whilst logged in, the result is the same as the previous 2 methods.
Method 3 Ė Using XSS with CSRF (credit to Kane for this part):
Letís say that there is a website that uses POST to edit information on the website. Using the earlier described methods, CSRF isnít an option. So we can use XSS to assist us in sending the POST data.
Form data: 'name', 'password'
You could upload this onto a guestbook:
This could be placed inside a guestbook and when the 'image' loads, the request will be made to the server.
Example (real world):
The infamous MySpace attack used both XSS and CSRF to analyse and send a friend request to anyone who was viewing the page containing the attack, it also spread to their friends list and so on. Due to the friends list being so enormous, the MySpace server was temporarily crashed.
There a few conclusions that can be drawn from this article:
1. That CSRF is based mainly on social engineering (in order to actually get the user to visit the page, click the malicious link needed to carry out the attack).
2. When CSRF is successful, it can be devastating.
3. When hidden in <img src="CSRF"> or using .htaccess, the CSRF is executed without the user's knowledge.
-- Thank you for taking the time to read this article, I hope it will be one of many. Constructive criticism is encouraged as I still have so much to learn =]
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 21 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.