2. How?
Suppose you have an online bank account and
you‟re already authenticated (you have already
logged-in).
2
3. How?
Now, you clicked on link from another
website, maybe from a comment. Ex.
<a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a>
This will just look like: I posted photos
3
5. What is it?
Attacker exploits the fact that the victim is authenticated to
a website
Identifying the attacker can be difficult
What can it do?
Proxy requests/commands for the attacker from the victim‟s
browser
Even POSTS can be forged as GET requests in some
cases
Web forms One Click Demo in module
5
6. How it is exploited?
Can be very simple – Image link in email, script on a blog,
simple link
Attackers gets user to
Click a specially crafted link (or inject JavaScript to a site victim visits)
Execute a request (can be very simple as requesting an image url in email)
Innocently browsing a web site
Can users include hrefs or Image links to your site? Link to bad url
Ever click “view images” in an email?
All browsers happily send over credentials if already
logged on
If already logged in (forms auth) the cookie is sent over even for an
image request
6
8. CSRF – HOW IT IS EXPLOITED?
DEMO – Repeatability is the key
8
9. CSRF – HOW IT IS EXPLOITED?
DEMO – Piggyback with some other attack like XSS
9
10. CSRF – POSTs protect me
They do, don‟t they? Don‟t they? Hello?
Web Forms One Click attack
Page.IsPostBack doesn‟t always tell the truth
A button click doesn‟t always mean someone click the button
10
11. How do you prevent it?
All Web Apps
Ensure GET only retrieves a resource (as per HTTP Spec)
No state is modified
POSTS/PUT/DELETE can be forged, must take additional
precautions
Try to make requests unique and non-repeatable
11
12. CSRF Defenses
CAPTCHA
Attacker must know CAPTCHA answer
Assuming a secure implementation
Re-Authentication
Password Based
○ Attacker must know victims password
○ If password is known, then game over already!
One-Time Token
○ Attacker must know current token
○ Very strong defense!
Unique Request Tokens
Attacker must know unique request
token for particular victim for particular session
Assumes token is cryptographically secure and not
disclosed.
○ /accounts?auth=687965fdfaew87agrde …
12