CSRF - An underestimated attack method
Monday, May 5, 2008 at 1:23PM Cross Site Reference Forgery works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.
Most Rails applications use cookie-based sessions. Either they store the session id in the cookie and have a server-side session hash, or the entire session hash stays on the client-side. In either case the browser will automatically send along the cookie on every request to a domain, if he can find a cookie for that domain. The controversial point is, that it will also send the cookie, if the request comes from a site of a different domain. Let's start with an example:
Bob browses a message board and views a post from an attacker where there is a crafted HTML image element. The element references a command in Bob's banking application, rather than an image file (note that .src is meant to be src).
<img .src="http://www.bank.com/transfer?account=bob&amount=1000&destination=attacker">
Bob's session at www.bank.com is still alive, because he didn't log out a few minutes ago.
By viewing the post, the browser finds an image tag, which it tries to load from www.bank.com. As explained before, it will also send along the cookie with the valid session id.
The web application at www.bank.com verifies the user information in the corresponding session hash and transfers the money to the attackers account. It then returns a result page which is an unexpected result for the browser, so it will not display the image.
Bob doesn't notice the attack, only a few days later he finds out about the strange transfer.
It is important to notice that the actual crafted image or link doesn't necessarily has to be situated in the web application's domain, it can be anywhere – in a forum, blog post or email.
This figure is taken from shiflett.org and illustrates how CSRF works.
CSRF appears very rarely in CVE (Common Vulnerabilities and Exposures), less than 0.1% in 2006, but it really is a 'sleeping giant' [Grossman]. This is in stark contrast to the results in my (and others) security contract work – CSRF is an important security issue.
CSRF Countermeasures
First of all, GET and POST have to be used according to the W3C. Secondly, a security token in non-GET requests will protect your application from CSRF.
The HTTP protocol basically provides two main types of requests - GET and POST (and more, but they are not supported by most browsers). The World Wide Web Consortium (W3C) provides a checklist for choosing HTTP GET or POST:
Use GET if:
The interaction is more like a question (i.e., it is a safe operation such as a query, read operation, or lookup).
Use POST if:
The interaction is more like an order, or
The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or
The user be held accountable for the results of the interaction.
The verify method in a controller can make sure that specific actions may not be used over GET. Here is an example to verify that the transfer action will be used over POST, otherwise it redirects to the list action.
verify :method => :post, :only => [ :transfer ], :redirect_to => { :action => :list }
With this precaution, the attack from above will not work, because the browser sends a GET request for images, which will not be accepted by the web application.
But this was only the first step, because POST requests can be send automatically, too. Here is an example for a link which displays harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request (.href is meant to be href).
<a .href="http://www.harmless.com/" onclick="var f = document.createElement('form'); f.style.display = 'none'; this.parentNode.appendChild(f); f.method = 'POST'; f.action = 'http://www.example.com/account/destroy'; f.submit();return false;">To the harmless survey</a>
Or the attacker places the code into the onmouseover event handler of an image (again, .src is meant to be src):
<img .src="http://www.harmless.com/img" width="400" height="400" onmouseover="..." />
There are many other possibilities, including Ajax to attack the victim in the background. The solution to this, is to include a security token in non-GET requests, which will be checked on the server-side. In Rails 2 this is a one-liner in the application controller:
protect_from_forgery :secret => "123456789012345678901234567890"
This will automatically include a security token, calculated of the current session and the server-side secret, in all forms and Ajax requests generated by Rails. You won't need the secret, if you use CookieStorage as session storage. It will raise an ActionController::InvalidAuthenticityToken error, if the security doesn't match what was expected.
Note that cross-site scripting (XSS) vulnerabilities bypass all CSRF protections. XSS gives the attacker access to all elements on a page, so he can read the CSRF security token from a form or directly submit the form. This is how the Samy MySpace worm did it.
View Printer Friendly Version
Email Article to Friend
Reader Comments (15)
[...] just read a great article on Cross Site Reference Forgery, specifically related to how Rails 2.0 handles it. I think it is a must read for all rails [...]
[...] is the link: http://www.rorsecurity.info/2008/05/05/csrf-an-underestimated-attack-method/ Share and Enjoy: These icons link to social bookmarking sites where readers can share and [...]
[...] Ruby on Rails Security Project â�� Exploring the Security of Rails and friends. wrote an interesting post today on CSRF - An underestimated attack methodHere’s a quick excerpt Cross Site Reference Forgery works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands. Most Rails applications use cookie-based sessions. Either they store the session id in the cookie and have a server-side session hash, or the entire session hash stays on the client-side. In either case the browser will automa [...]
[...] CSRF - An underestimated attack method [...]
[...] If the session for that web application has not timed out, an attacker may execute unauthohttp://www.rorsecurity.info/2008/05/05/csrf-an-underestimated-attack-method/Universal to allow free music downloads Guardian UnlimitedThe world's largest record label has [...]
[...] CSRF attacks manipulate the user data on his behalf, as described here. The flaw I’ve found is returning live Javascript object with lots of personal data, similar [...]
<script>alert("hey!!")</script>
coach bags outlet
coach bags
Coach Baby Bags
Coach Backpack Bags
Coach Claire Bags
Coach Garnet Bags
Coach HOBO Bags
Coach Luggage Bags
Coach Patchwork Purse
Coach Shoulder Bags
Coach Spotlight Bags
Coach Travel Bags
New Coach Handbags
COACH JEWELRY
Coach Earrings
COACH WALLETS
COACH SHOES
Coach Heels
Coach Sandals
Coach Wedges
chanel bags 2010
chanel bags
chanel bags online
Chanel Luggage
Chanel Cambon Bags
New Chanel Handbags
Chanel Tote Bags
Chanel Wallets
Chanel Belts
Chanel Bracelets
Chanel Earrings
Chanel Jewelry
Chanel Rings
Chanel Sunglasses
The Rich 16-Year-Old's New Millionaire System - The Rich 16-Year-Old's New Millionaire System Hi The Rich 16-Year-Old's New Millionaire System s here! You can get in on the ground floor of this new system from a 16-year old girl who has cracked the code to affiliate marketing riches. You see, most affiliates begin their efforts with the hunt and peck method. They’d try one thing and then another and another without really sticking to anything for any length of time. The result? Most of them failed. Miserably. Don't be a part of this statistics!Here's the formula that really works. http://bit.ly/akUugt The Rich 16-Year-Old's New Millionaire System Hits The Market By Storm Yes, she's only 16, and she's banked in over $405,000 from affiliate marketing in just under 45 Days!And she's finally unleashed her secrets in the The Rich 16-Year-Old's New Millionaire System.Don't Miss Out On This Revolutionary Formula! http://bit.ly/akUugt tags:homebased business, home job, small business, home jobs, small business opportunity, idea business, new business, business ideas, ultimate online business, legitimate business, home based, internet business opportunities, online business opportunities, business opportunities, successful business, making money from home, earn money from home, earn from home, income from home, jobs from home, money from home, home based work, internet businesses, online businesses, business making money online, home employment, new business ideas, business opportunity, internet business idea, internet business ideas, online business ideas, small business idea, small business ideas, online business opportunity, internet business opportunity, small business opportunities, ideas for business, home based jobs, internet based business, business marketing, franchise business, part time business, mlm business, work from home opportunities, money making opportunities, starting an internet business, small business marketing, work from home online, new business opportunity
I am talking about this Maison Martin Margiela Reflector-Embellished Leather Clutch, which looks entirely contemporary and edgy; yet, Im type of not sure about the particular material employed to craft this purse. Effectively indeed, this clutch is produced from those red acetate reflectors. Its like a substantial reflector that cracked, giving this a mosaic-like design and style, which I guess is a lot more modern and edgier. These kind of are then embellished throughout the particular front, although the particular back again remains in smooth alligator material.gmt watches replicas
i dont know if there suitalbe to write something good website i meet here, for i hope every body could have a good shopping experience online.
here i want to introduce this website,
mainly selling nfl jerseys,
ghd purple, christian louboutin,
and air max 95.
they offer 24 hours online service, and very very good customer service.
i buy the air max 90 shoes online on the website, nice design and good quality. that is why i strongly introduce you here.
it is not a advertisment, just share my shopping experience with everybody. hope you have a nice day, and could enjoy the good shopping.air max
iwc watches good quality and low prices. is the first choice for modern ladies shopping.
this kind of Wireless Keyboard has a mini touch-pad to have full control of the mouse pointer.
Büyü
good quality and low prices. is the first choice for modern ladies shopping.
Unlike other products, hermes birkin is not famous for its logo, but for the good quality of the cortex. HERMES BELT The impeccable process design and even the detail place can create delicate carve of diamond level,Hermes Birkin all these characteristics makeHERMES PURSE out of the ordinary.Hermes handbags have become a symbol of French luxury goods. A good many stars are chasing the fever of Hermes Kelly .In the world of shoes,Christian Louboutin is the favorite of European stars. The red outsole, high heels and shining color becomes the unique logo of Christian Louboutin pumps. Christian Louboutin Sandal is your first choice. They have become the favorite of many stars. Christian Louboutin Pumps match your beautiful skirts so perfect that you may be attracted by yourself.Yes, that is Moncler Women's . In fact,after 50 years development,Moncler has already become an international brand together with LV, Channel, Gucci and other famous brand.Today, owning a Moncler dress is numerous Youngman's dream. Imaging one person wears a Moncler, he or she will become the focus of attention. Not only because Moncler Womens is a symbol of status, but also wearing a Moncler makes you more beautiful, more elegant.Further more, it enables you brimming with noble qualities. Moncler Polo Shirt style and catagory is various, everybody, any requirements can be meet if you surfing on Moncler site. Whichever type you dressing, a down jacket or a simple Moncler Polo Shirt all make you emitting out infinite shine .Herve Leger bandage dress, you will find what you are looking for is in Herve Leger. Herve Leger is a very good trend in the fashion world. There have a chance for you to shop on Herve Leger Dresses sale online store, to catch the fashion wind. Herve Leger Skirts has the super Herve Leger , Skirts and Herve Leger Dresses , these all can show your charming body more. It is beautifully designed and the materials always are of the highest quality. Herve Leger Skirts 'style has a timeless, sexy silhouette.