Cross-Site request forgery – Web site attack

30 ביוני 2011

no comments

The web is full of security vulnerabilities, I'm going to describe some in my blog

Here's a one that most developers are not aware of it's called CSRF (Cross-Site request forgery)

It's not a very common one but easily can be deadly.

Unlike other security vulnerabilities that usually exploit the fact a user has some permissions to a specific site , this one depends on a simple fact that a site trust's a user's browser.

Trusting the user browser means that a web site will trust the browser's cookies without questioning the source of the cookies, very similar to session hijacking.

Meaning is that if someone post a request to a site using your browser the site will accept this request , no questions asked.

For example: a request to charge an order to an e-commerce site will look like this :

this site will checkout the following order to a customer which it's details are stored in a cookie. basically anyone that uses this browser on the victim computer will just navigate to the site

and the order will be checked out. Keep in mind that the order details include the shipping details.

Ok, so sitting on the same PC is not exactly hacking, but check this out:

Let's say the hacker posts an message on a popular forum that will include a 1px image. Here's  the image's HTML:

<img src="">

Now when the victim reads the post the browser submit a request to the server using the browser's cookie (if the cookie has not expired) and there you go!

The hacker completed an order while using the victim credentials!

Here's a summary :


So what can be done?

Like most web vulnerabilities, CSRF is very easy to solve:

1. Consider creating an HTTP handler / module that will make sure that the HTTP referrer has not changed in the session

2. Limit the lifetime of your cookies

3. Double check / validate the user using a password popup and etc

Wikipedia describes the vulnerability pretty straight-forward here

You can find an Hebrew article that describe it in more detail here

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>