Pin It

Website Hacking With CSRF Attack



Cross Site Request Forgery Attack is also known as CSRF or XSRF in short. Do not confuse it with Cross Site Scripting attack because it is totally different from that. Like SQL injection and XSS, CSRF is also one in top 10 OWASP web vulnerabilities for many years.



What is Cross Site Request Forgery Attack?

Cross Site Request Forgery or CSRF is an attack method in which attacker exploit users' active session in the browser without the permission of innocent user. By using victim's browser session, attacker sends valid requests to a website that perform some action in users' account. User will not be able to know that the request has been sent from his browser. An Attacker uses some third party innocent websites to generate these valid requests from user’s browser.

EX: If a form on a website can also be submitted from some other website, It is vulnerable to CSRF. Suppose there is a form on a vulnerable website

(http://www.vulnerablesite.com/vulnerable.php)

<form action=”action.php” method=”post”>
</form>
And I made a duplicate form on my local host
<form action=” http://www.vulnerablesite.com/action.php” method=”post”>
</form>

I am able to submit the form by using the form on my localhost, the website is vulnerable to the CSRF attack This attack uses user's session to perform malicious task, so it is also known as "Session Riding attack." Sometimes it is hard to understand how this attack works in real life. So I am explaining it with the help of a example.

Suppose if an online payment website like Paypal has CSRF vulnerability. Attacker A want to exploit CSRF vulnerability of this website and attack on victim B. For this he use some third party website. Innocent User B login into his account to do check the balance and then switch to a new tab without logging out from the older tab. Session is active on the browser.

Attacker A had posted a link or image in a website that on load submits the payment transfer form to transfer money to the attacker's account by using active session. As the request came from user's browser by his session, CSRF vulnerable website will transfer the fund.

How CSRF is different from XSS

Many people have confusion inn between CSRF and XSS attack. In XSS, attacker exploit the trust of users on website. So we inject malicious script and user believes on it just because he see a valid website URL. Unlike XSS, in CSRF attacker exploits the website's trust on the browser. In this, a website thinks tha a request camre from the user's browser is made by user itself.

Both vulnerabilities are dangerous enough.

Protection against CSRF attack:

Many people thinks that limiting against XSS also limits CSRF. But this is not true. We have to make so many things to limit the attack.
There are many ways to protect the CSRF attack. Some important ways are given below:

  • Checking the HTTP Referrer header website. If it is a different domain, deny the request.
  • Limiting the lifetime of authentication cookies. If user is inactive for some fixed time, the session must be expired.
  • Limit the damage by authenticating each request made by user. 
  • Use of random token for each session
About Author:
Deepanker Verma is a security researcher and tech blogger. You can read his security blog at HackingTricks.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags:


Kindly Bookmark it and Share it with Friends:

2 comments :

Parv Jain on February 7, 2013 at 10:05 PM said...
This comment has been removed by the author.
Anonymous said...

its seems to be very good rafay ...
:) it would have been much more better if you can give a demo ...

Dare to ask? :)

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.