Cross-Site Request Forgeries (CSRF)

by Vijay 2009-11-06 12:13:17

Cross-site request forgery, also known as a one-click attack or session riding is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. CSRF exploits the cookies that a site has in a user's browser.

How does the attack works?

The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated. For example, one user, Mick, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Mick's bank's website (rather than an image file), e.g.,

<img src="http://bank.example/withdraw?account=mick&amount=1000000&for=mallory">

If Mick's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Mick's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Mick's approval.

The following characteristics are common to CSRF:

* Involve sites that rely on a user's identity
* Exploit the site's trust in that identity
* Trick the user's browser into sending HTTP requests to a target site
* Involve HTTP requests that have side effects

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action.

CSRF attacks using images are often made from Internet forums, where users are allowed to post images but not JavaScript.


Individual Web users can do the following to prevent CSRF attack,

i) Logging out of sites and avoiding their "remember me" features
ii) not displaying external images or not clicking links in "spam" or untrusted e-mails may also help.

The Web sites can do various CSRF countermeasures:

* Requiring authentication in GET and POST parameters, not only cookies;
* Checking the HTTP Referer header;
* Ensuring there's no crossdomain.xml file granting unintended access to Flash movies; and
* Limiting the lifetime of authentication cookies

Tagged in:


You must LOGIN to add comments