Cross-site request forgery

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Contents

Background

CSRF vulnerabilities have been known and in some cases exploited since 2001.[3] Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.[2] Exploits are under-reported, at least publicly, and as of 2007[4] there are few well-documented examples. About 18 million users of eBay's Internet Auction Co. at Auction.co.kr in Korea lost personal information in February 2008[citation needed]. Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website, impersonating the bank.[5]

Example and characteristics

A National Vulnerability Database page describing a CSRF hole

The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated.[1] For example, one user, Bob, might be browsing a chat forum where another user, Fred, has posted a message. Suppose that Fred has crafted an HTML image element that references an action on Bob's bank's website (rather than an image file), e.g.,

<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=Fred">

If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.

A cross-site request forgery is a confused deputy attack against a Web browser. The deputy in the bank example is Bob's Web browser which is confused into misusing Bob's authority at Fred's direction.

The following characteristics are common to CSRF:

  • Involve sites that rely on a user's identity
  • Exploit the site's trust in that identity
  • Trick the user's browser into sending HTTP requests to a target site
  • Involve HTTP requests that have side effects

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action.

CSRF attacks using image tags are often made from Internet forums, where users are allowed to post images but not JavaScript.

Limitations

Several things have to happen for cross-site request forgery to succeed:

  1. The attacker must target either a site that doesn't check the referrer header (which is common) or a victim with a browser or plugin bug that allows referrer spoofing (which is rare).
  2. The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password).
  3. The attacker must determine the right values for all the form's or URL's inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will fail.
  4. The attacker must lure the victim to a Web page with malicious code while the victim is logged in to the target site.

Note that the attack is blind; i.e., the attacker can't see what the target website sends back to the victim in response to the forged requests, unless he exploits a cross-site scripting or other bug at the target website. Similarly, the attacker can only target any links or submit any forms that come up after the initial forged request, if those subsequent links or forms are similarly predictable. (Multiple targets can be simulated by including multiple images on a page, or by using JavaScript to introduce a delay between clicks.)

Given these constraints, an attacker might have difficulty finding logged-in victims or attackable form submissions. On the other hand, attack attempts are easy to mount and invisible to victims, and application designers are less familiar with and prepared for CSRF attacks than they are for, say, password-guessing dictionary attacks.

Severity

Unlike other types of vulnerabilities, there is no limit on impact of CSRF. According to the United States Department Of Homeland Security the most dangerous CSRF vulnerability ranks in at the 909th most dangerous software bug ever found, making this vulnerability more dangerous than most buffer overflows.[6] Other severity metrics have been issued for CSRF vulnerabilities that result in remote code execution with root privileges[7] as well as a vulnerability that can compromise a root certificate, which will completely undermine a public key infrastructure.[8]

Forging login requests

An attacker may forge a request to log the victim in to a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log in to the site with his legitimate credentials and view private information like activity history that has been saved in the account.[9] The attack has been demonstrated against YouTube.[10]

Other approaches to CSRF

Additionally, while typically described as a static type of attack, CSRF can also be dynamically constructed as part of a payload for a cross-site scripting attack, as demonstrated by the Samy worm, or constructed on the fly from session information leaked via offsite content and sent to a target as a malicious URL. CSRF tokens could also be sent to a client by an attacker due to session fixation or other vulnerabilities, or guessed via a brute-force attack,[11] rendered on a malicious page that generates thousands of failed requests. The attack class of "Dynamic CSRF", or using a per-client payload for session-specific forgery, was described[12] in 2009 by Nathan Hamiel and Shawn Moyer at the BlackHat Briefings,[13] though the taxonomy has yet to gain wider adoption.

Prevention

Individual Web users using unmodified versions of the most popular browsers can do relatively little to prevent cross-site request forgery. Logging out of sites and avoiding their "remember me" features can mitigate CSRF risk; not displaying external images or not clicking links in spam or untrusted e-mails may also help.

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests.

Web sites have various CSRF countermeasures available:

  • Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions[1]
  • Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
  • Limiting the lifetime of session cookies
  • Checking the HTTP Referer header
  • Ensuring that there is no clientaccesspolicy.xml file granting unintended access to Silverlight controls[14]
  • Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies[15]
  • Verifying that the request's header contains a X-Requested-With. Used by Ruby on Rails (before v2.0) and Django (before v1.2.5). This protection has been proven unsecure[16] under a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website, hence allow a forged requests.

A variation on this approach is to double submit cookies for users who use JavaScript. If an authentication cookie is read using JavaScript before the post is made, JavaScript's stricter (and more correct) cross-domain rules will be applied. If the server requires requests to contain the value of the authentication cookie in the body of POST requests or the URL of dangerous GET requests, then the request must have come from a trusted domain, since other domains are unable to read cookies from the trusting domain.

Checking the HTTP Referer header to see if the request is coming from an authorized page is commonly used for embedded network devices because it does not increase memory requirements. However a request that omits the Referer header must be treated as unauthorized because an attacker can suppress the Referer header by issuing requests from FTP or HTTPS URLs. This strict Referer validation may cause issues with browsers or proxies that omit the Referer header for privacy reasons. Also, old versions of Flash (before 9.0.18) allow malicious Flash to generate GET or POST requests with arbitrary http request headers using CRLF Injection. Similar CRLF injection vulnerabilities in a client can be used to spoof the referrer of an http request.

To prevent forgery of login requests, sites can use these CSRF countermeasures in the login process, even before the user is logged in.

Sites with especially strict security needs, like banks, often log users off after (for example) 15 minutes of inactivity.

Using the HTTP specified usage for GET and POST, in which GET requests never have a permanent effect, is good practice but is not sufficient to prevent CSRF. Attackers can write JavaScript or ActionScript that invisibly submits a POST form to the target domain. However, filtering out unexpected GETs prevents some particular attacks, such as cross-site attacks using malicious image URLs or link addresses and cross-site information leakage through <script> elements (JavaScript hijacking); it also prevents (non-security-related) problems with aggressive web crawlers and link prefetching.[1]

See also

References

  1. ^ a b c d Shiflett, Chris (December 13, 2004). "Security Corner: Cross-Site Request Forgeries". php|architect (via shiflett.org). http://shiflett.org/articles/cross-site-request-forgeries. Retrieved 2008-07-03. 
  2. ^ a b Ristic, Ivan (2005). Apache Security. O'Reilly Media. p. 280. ISBN 0-596-00724-8. 
  3. ^ Burns, Jesse (2005). "Cross Site Request Forgery: An Introduction To A Common Web Weakness". Information Security Partners, LLC. http://www.isecpartners.com/files/XSRF_Paper_0.pdf. Retrieved 2011-10-06. 
  4. ^ Christey, Steve and Martin, Robert A. (May 22, 2007). "Vulnerability Type Distributions in CVE (version 1.1)". MITRE Corporation. http://cwe.mitre.org/documents/vuln-trends/index.html. Retrieved 2008-06-07. 
  5. ^ "List of incidents for which Attack Method is Cross Site Request Forgery (CSRF)". Web Application Security Consortium. February 2008. http://www.webappsec.org/projects/whid/byclass_class_attack_method_value_cross_site_request_forgery_(csrf).shtml. Retrieved 2008-07-04. 
  6. ^ US-CERT vulnerability list by severity metric
  7. ^ cPanel Remote Root
  8. ^ OpenCA CSRF
  9. ^ Adam Barth, Collin Jackson, and John C. Mitchell, Robust Defenses for Cross-Site Request Forgery, Proceedings of the 15th ACM Conference on Computer and Communications Security, ACM 2007
  10. ^ Jeremiah Grossman, Google YouTube crossdomain security flaw
  11. ^ Inferno Security Blog Brute-forcing CSRF tokens
  12. ^ Weaponizing Web 2.0
  13. ^ Dynamic CSRF
  14. ^ Client access policy file to allow cross-domain access by Silverlight controls
  15. ^ Cross-domain policy file usage recommendations for Flash Player
  16. ^ "Django 1.2.5 release notes". Django. http://docs.djangoproject.com/en/1.2/releases/1.2.5/#csrf-exception-for-ajax-requests. 

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Cross site request forgery — Les attaques de type Cross Site request forgeries (abrégées CSRF prononcées sea surfing ou parfois XSRF) utilisent l utilisateur comme déclencheur, celui ci devient complice sans en être conscient. L attaque étant actionnée par l utilisateur, un… …   Wikipédia en Français

  • Cross Site Request Forgery — Saltar a navegación, búsqueda El CSRF (del inglés Cross site request forgery o falsificación de petición en sitios cruzados) es un tipo de exploit malicioso de un sitio web en el que comandos no autorizados son transmitidos por un usuario en el… …   Wikipedia Español

  • Cross-Site Request Forgery — Eine Cross Site Request Forgery (auf Deutsch etwa „Seiten übergreifende Aufruf Manipulation“, meist CSRF oder XSRF abgekürzt) ist ein Angriff auf ein Computersystem, bei dem der Angreifer eine Transaktion in einer Webanwendung durchführt. Dies… …   Deutsch Wikipedia

  • Cross-site request forgery — Les attaques de type Cross Site Request Forgery (abrégées CSRF prononcées sea surfing ou parfois XSRF) utilisent l utilisateur comme déclencheur, celui ci devient complice sans en être conscient. L attaque étant actionnée par l utilisateur, un… …   Wikipédia en Français

  • Cross-Site Request Forgeries — Cross site request forgery Les attaques de type Cross Site request forgeries (abrégées CSRF prononcées sea surfing ou parfois XSRF) utilisent l utilisateur comme déclencheur, celui ci devient complice sans en être conscient. L attaque étant… …   Wikipédia en Français

  • Cross-site scripting — (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client side script into Web pages viewed by other users. A cross site scripting vulnerability may be used by attackers to… …   Wikipedia

  • Cross-Site Scripting — (XSS) bezeichnet das Ausnutzen einer Computersicherheitslücke in Webanwendungen, indem Informationen aus einem Kontext, in dem sie nicht vertrauenswürdig sind, in einen anderen Kontext eingefügt werden, in dem sie als vertrauenswürdig eingestuft… …   Deutsch Wikipedia

  • Cross-Site-Scripting — (XSS; deutsch Seitenübergreifendes Scripting) bezeichnet das Ausnutzen einer Computersicherheitslücke in Webanwendungen, indem Informationen aus einem Kontext, in dem sie nicht vertrauenswürdig sind, in einen anderen Kontext eingefügt werden …   Deutsch Wikipedia

  • Cross-site — can refer to the following network security exploits: Cross site cooking Cross site request forgery Cross site scripting Cross site tracing This disambiguation page lists articles associated with the same title. If an …   Wikipedia

  • Cross-Site-Cooking — Beim Cross Site Cooking, nutzt der Angreifer einen Fehler des Browsers, um einen falschen Cookie zum Server zu übermitteln. Cross Site Cooking ist eine Art von Browser Exploit (dt.: Ausnutzung eines Bugs in einem Browser), welche es einem… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.