comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

Cross-Site Request Forgery (CSRF)

In CSRF Web attacks, an attacker forces the victim to submit the attacker’s form data to the victim’s Web server. The attacker creates the host form, containing malicious information, and sends it to the authenticated user. The user fills in the form and sends it to the server. Because the data is coming from a trusted user, the Web server accepts the data.

Anatomy of a CSRF Attack

A CSRF attack occurs over the following four steps:

  1. The attacker hosts a Web page with a form that looks legitimate. This page already contains the attacker’s request.

  2. A user, believing this form to be the original, enters a login and password.

  3. Once the user completes the form, that page gets submitted to the real site.

  4. The real site’s server accepts the form, assuming that it was sent by the user based on the authentication credentials. In this way, the server accepts the attacker’s request.

Pen-Testing CSRF Validation Fields

Before filing the form, it is necessary to confirm that the form is validated before reaching the server. The best way to do this is by pen-testing the CSRF validation field, which can be done in the following four ways:

  1. Confirm that the validation field is unique for each user.

  2. Make sure that another user cannot identify the validation field. If the attacker creates the same validation field as another user, then there is no value in the validation field. The validation field must be unique for each site.

  3. Make sure that the validation field is never sent on the query string, because this data could be leaked to the attacker in places like the HTTP referrer.

  4. Verify that the request fails if the validation field is missing.


Published on Thu 02 January 2014 by Anthony Norton in Security with tag(s): csrf