Cross Site Request Forgery Attack for Web Penetration Testing
Cross site request forgery or CSRF attack is one of the Top Ten OWASP Vulnerabilities in a Web Application and quiet challenging during Web Application Penetration Testing . Cross Site Request Forgery is an attack that is caused if the web application allows the visitor to predict the details of a particular action .
In CSRF the attacker basically creates a Forged HTTP Request . This Forged HTTP Request forces the user to execute unwanted actions on a website that he trusts and he is currently Authenticated on . That being said , we have 2 main Requirements for a Successful CSRF Attack :
- The Victim must be authenticated in the web application and the Web Application being penetration tested must use cookies and sessions .
- The Web Application accepts the HTTP Requests from the authenticated user without verifying that the request is Unique to the User’s session .
CSRF Targets the State Changing requests such as Ticket booking , Funds Transfer , Buy from an online store etc . The forged HTTP request is sent to the victim through Social Engineering techniques .
Lets Consider the Example Attack Scenario :
The application allows a user to submit a state changing request that does not include anything secret. For example:
http://abc.com/bankapp/transferFunds?amount=30500&destinationAccount=1234567890
Now the attacker will construct a Forged HTTP Request that will transfer money from the victim’s account to any account of choice of the attacker, and then embeds this HTTP Request in an image request stored on a website under the attacker’s control:
Since nothing is sent in secret , the attacker can create a url of his choice easily .If the victim visits any of the attacker’s website while already authenticated to example.com, these forged requests will automatically include the user’s session info, authorizing the attacker’s request.Hence the money is transffered to the attackers account from the victims account .
So in CSRF all it takes is to make you visit a page of attackers choice (which is very easy via social engineering) , and steal money from his bank account or any other action .
Prevention of CSRF :
- Use Re authentication , CAPTCHA at state changing operations .
- Include Unique tokens in the hidden fields . This will send the request in the body of HTTP Requestrather than the URL
- Always use Multi-Step Transaction in you Website .
- Append the Unique token to each link on the requested page .
Code Review : If there is no unique identifier (Unique token) relating to each HTTP request , to tie the HTTP request to the user , we are Vulnerable to CSRF Attack . Session ID’s is not enough as it is sent in each HTTP request , legit or forged .