CSRF Attacks Daniel Chen 11/18/15
What is CSRF? Cross Site Request Forgery (Sea-Surf) AKA XSRF/ One Click / Sidejacking / Session Riding Exploits trust of browser Browsers automatically send credentials (session cookie) Tricks victim into submitting malicious request Normally state changing effects
How Does it Work? Build an exploit URL or script Use social engineering Disguise it and make it seem appealing so people click on it Automatically submit when loaded
HTTP Methods - GET GET GET HTTP/1.1 Same as before
HTTP Methods - POST POST POST HTTP/1.1 acct=BOB&amount=100 Automatically load with JavaScript
HTTP Methods – POST/DELETE Harder to do, but you can use JavaScript PUT HTTP/1.1 { "acct":"BOB", "amount":100 } function put() { var x = new XMLHttpRequest(); x.open("PUT"," x.setRequestHeader("Content-Type", "application/json"); x.send(JSON.stringify({"acct":"BOB", "amount":100})); } Doesn’t work on modern browsers
Same Origin Policy Restricts scripts Only allows web pages to access each others data if they are from same origin
Prevent CSRF Attacks Use “Challenge Tokens” On sensitive areas (like forms) add a special token
Prevent CSRF Attacks The token is randomly generated each session per user, and the server records the token The attacker can’t see what the token is Attacker can’t load a request with the token already in it because of same origin policy
Challenge Token Example - Legit Client to server: GET "password change form" My session cookie is Server to client: New Password: CSRF token: Client to server: New password is **** csrf token is session cookie is Server to client: session cookie and csrf token match Password changed!
Challenge Token Example - Attacker Attacker crafts a GET url that would trick Alice's browser into sending a password change request if she clicks it. Attacker randomly makes up a CSRF token and puts it in the URL Client to server: New password is **** csrf token is My session cookie is Server to client: csrf token doesn’t match Password change failed