Page 1 CROSS-SITE REQUEST FORGERIES AKSHAY BHARDWAJ INTRODUCTION Cross-Site Request Forgery (CSRF, pronounced as see-surf) occurs when a website causes a user’s browser to perform an unintended action on a website where the user has some authority. CSRF attacks are also known as Cross-Site Reference Forgery, XSRF and Session Riding. Web developers mostly assume that defenses against Cross-Site Scripting (XSS attack) also protect against CSRF attacks. But this is not true as the nature of both attacks although similar, have a few differences. The National Vulnerability Database’ website defines CSRF attacks as: “Failure to verify that the sender of a web request actually intended to do so. CSRF attacks can be launched by sending a formatted request to a victim, then tricking the victim into loading the request (often automatically), which makes it appear that the request came from the victim. CSRF is often associated with XSS, but it is a distinct issue.”[1] CSRF attacks are particularly dangerous because they are largely ignored by the web development community. If these attacks are successful, they have the potential to do malicious things on websites like: transferring money from a user’s bank account to an undisclosed bank account without the user’s knowledge, retrieve user’s email address, intrude over a user’s privacy etc. All these malicious acts can be accomplished by the attacker without the knowledge or approval of the user. HOW CSRF WORKS? Usually the image tag in HTML is used for CSRF attacks, where the attacker puts a URL that does the malicious act (through a command) instead of just putting a URL to the image. This is very vulnerable as the server does not know that the difference between a URL for just an image and a URL to direct the user to the attackers webpage. The server handles all URL’s the same way. A CSRF attack does not attempt to steal the user’s username and password in order to control the session id, unlike the Cross-Site Scripting (XSS) attack which directs the user from their home
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1
CROSS-SITE REQUEST FORGERIES
AKSHAY BHARDWAJ
INTRODUCTION
Cross-Site Request Forgery (CSRF, pronounced as see-surf) occurs when a website causes a
user’s browser to perform an unintended action on a website where the user has some authority.
CSRF attacks are also known as Cross-Site Reference Forgery, XSRF and Session Riding. Web
developers mostly assume that defenses against Cross-Site Scripting (XSS attack) also protect
against CSRF attacks. But this is not true as the nature of both attacks although similar, have a
few differences. The National Vulnerability Database’ website defines CSRF attacks as:
“Failure to verify that the sender of a web request actually intended to do so. CSRF attacks can
be launched by sending a formatted request to a victim, then tricking the victim into loading the
request (often automatically), which makes it appear that the request came from the victim.
CSRF is often associated with XSS, but it is a distinct issue.”[1]
CSRF attacks are particularly dangerous because they are largely ignored by the web
development community. If these attacks are successful, they have the potential to do malicious
things on websites like: transferring money from a user’s bank account to an undisclosed bank
account without the user’s knowledge, retrieve user’s email address, intrude over a user’s
privacy etc. All these malicious acts can be accomplished by the attacker without the knowledge
or approval of the user.
HOW CSRF WORKS?
Usually the image tag in HTML is used for CSRF attacks, where the attacker puts a URL that
does the malicious act (through a command) instead of just putting a URL to the image. This is
very vulnerable as the server does not know that the difference between a URL for just an image
and a URL to direct the user to the attackers webpage. The server handles all URL’s the same
way.
A CSRF attack does not attempt to steal the user’s username and password in order to control the
session id, unlike the Cross-Site Scripting (XSS) attack which directs the user from their home
Page 2
page to a third party site through a link, which requests for the user’s username and password,
using which malicious acts can be performed. For this reason a CSRF attack is more difficult to
identify as it happens without the user’s knowledge.
Example
Probably the most malicious act would be to use a CSRF attack to transfer money out of a user’s
bank account to an undisclosed bank account. This can be accomplished very easily by the
attacker by directing the user to a link like this: