Security Information and Review

Collection of security information and review

Problem and Solution : Cross Site Request Forgery ( XSRF )

Author : Admin

Cross Site Request Forgery ( XSRF ) is a type of attacker technique with malicious code to exploit of a website or web application where by unauthorized commands are transmitted from a user that the website trusts. Attacker use a user that the website trusts with technique cross domain vulnerability, see detail at web based application and basic cross domain security. Cross Site Request Forgery also known as a one click attack or session riding and abbreviated.

 

In the web application includes a feature that allow user to change profile or other information, such password or user information, attacker can use a malicious code / page to make a GET or POST HTTP request. With this vulnerability, attacker can change any information authorized user, next step attacker use it to log into the web application.

 

The attack works by including a link or script in a page that accesses a site to which the user in knows to have authenticated. For example and scenario, how attacker use cross site request forgery ( XSRF ), a web application ( victim-shop-online.com )includes a feature that allow user to change password. This feature is implemented with a HTML form like this :

1
2
3
4
5
6
7
8
9
       <form action="/change_password" method="POST">
                  ...
		<label for="new_password">New Password</label>
                <input name="new_password" type="password" />
 
		<label for="confirm_password">Confirm</label>
                <input name="confirm_password" type="password" />
		 ...
	</form>

When this form is submited by user, application determines the identity of the currently logged-in user based on a session cookie, and then updates the stored password for this user in database. Attacker modify code above with malicious code in a HTML form like this :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
       <form action="http://victim-shop-online.com/change_password" method="POST">
                  ...
		<label for="new_password">New Password</label>
               <input name="new_password" type="password" value="secret" />
 
		<label for="confirm_password">Confirm</label>
                <input name="confirm_password" type="password" value="secret" />
		  ...
	</form>
 
 
        <iframe style="display: none; ">
 
	</iframe>
	<script>
		document.change_password.submit();
	</script>

when application receives the request, it determines that the cookie sent along with the request is a valid session cookie and indentifies and authenticates as user, submitting the web form and updates the password.

 

We explore in detail how to prevent Cross Site Request Forgery ( XSRF ) attack that initial GET or POST request on behalf of a valid user.

 

First, inspecting referer headers. Usually, attacker or malicious code make a request to application with an empty referer header.
Second, validation via user provided secret and requiring authentication in GET or POST parameters, not only cookies. A simple techniques to prevent Cross Site Request Forgery ( CSRF ) is to require user to enter a secret only know by a valid user. For example in the HTML form above, system allow user ti change their password could have an additional input field, current password.
Third, validation via action token. To secure an application we can indeed use the token to distinguish forged from genuine requests. Since the token is used to control the execution of state changes or transactions, we refer to it as an action token. We will generate and validate token using cryptographic alghorithm such that possession of a secret is necessary to produce a token that our application will consider valid.
Fourth, security analysis of the action token scheme.
Fifth, limiting the lifetime of authentication cookies.

See you at next discussion.

 

 

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
Michael :
Hey, have you seen this news article? New details about Michael Jackson's Death Emerge I was wondering if you were going to blog about this...
27 June 09 at 06:38
Cool post, just subscribed.
1 July 09 at 04:13
 

[...] In August 12, 2009, a vulnerability was reported at SquirrelMail which can be exploited by an attacker with Cross Site Request Forgery – CSRF technique. Find more information about this technique at Problem and Solution : Cross Site Request Forgery ( XSRF ). [...]

Doing some web surfing and noticed your blog looks a bit screwed up in my K-meleon internet browser. But fortunately hardly anybody uses it anymore but you might want to check it out.
12 December 09 at 03:57
If you like this posts, please leave messages / comments.