"The world has never doubted the judgment at Nuremberg. But no one will trust the work of these secret [Bush Administration] tribunals." -- P. Sabin Willett
For those of you not familiar with CSRF, it works like this:
Eve knows that Alice uses "www.mybank.com" for banking. Eve looks at mybank.com and notices that during money transfers, the url looks like "www.mybank.com/transfer.php?to='bob'&amount=100". Eve realizes that if Alice clicked on a link that looked like "www.mybank.com/transfer.php?to='eve'&amount=99999999999" then Eve would get $99999999999. But if Eve just sent a link to Alice, she would notice fast that she had just given a shitload of money to Eve. So instead, Eve sends Alice a image with this html: "<img src="www.mybank.com/transfer.php?to='eve'&amount=99999999999" alt="Oh noes, the image didn't load!" />".
Let's look at what happens from the browser's point of view:
1.) Oh, lookey, an image. I'll go to "www.mybank.com/transfer.php?to='eve'&amount=99999999999" to get it!
2.) Huh, mybank.com didn't return an image. I'll use the alt text.
3.) Render alt text.
Alice will see "Oh noes, the image didn't load!", while $99999999999 is sucked out of her account.
Most banks and social networks protect against CSRF now, so the danger *seems* small. Watch as I show you how it could get your internet service suspended, have lawsuits filed against you, and much, much more.
I'll start with another example...
Have you heard of Six Strikes? If not, read about it Here
Account suspension, Possible Lawsuits, nasty stuff.
Now let's say that Eve is mad at Alice. She decides to try another CSRF attack, but this time, her goal is to get Alice's ISP account suspended. Like last time, she could just send a link to "www.piratedcontent.com/download.php?file=piratedfile.avi", but that would be to obvious. She could use <IMG> tags, but she would need 6 broken images, and that might be a tipoff. So Eve makes a page on her website that has an interesting article on it. She also includes some <SCRIPT> tags that send off GET requests to "www.piratedcontent.com", changing what file it's getting every minute or so. She then sends a link to the page to Alice. Alice clicks on the link, and reads the article. Meanwhile, Alice's browser dutifully sends off requests to "www.piratedcontent.com". Alice's ISP logs that she is requesting pirated content, and starts giving out strikes.
I think I speak for everyone who has a bit of Web Dev experience when I say that I could make a site like that in about an hour at most. Scared yet? There's more. Downloading pirated content is just *one* of the fun things that you can do! Link farming? Check. Visiting n0rp sites? Check. Googling "how to make a bomb", "How to get past web filtering", or "n0rp"? Check.
That is the power of CSRF.
What can you do to protect yourself, you ask?
The answer:
Almost nothing. Disabling JavaScript might help a little bit, but the broken <IMG> tags still work. There are thousands of ways to force your browser to preform a GET request. It's impossible to block all of them. Right now, almost no one is using CSRF to do this sort of attack, but that's just because nothing is in it for them. All it would take is one of your "friends" linking you to one site, and just like that, your reputation could be ruined, your internet service gone. All it would take is one troll posting broken images on a popular forum.
How long have you been reading this article?
Enough time for your browser to make a few get requests?
That is the power of CSRF.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 21 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.
