Home » Data Protection » Application Security

Threat Watch: Cross Site Request Forgery (CSRF)

Why a little-known web application vulnerability could cause big problems

December 20, 2007 — CSO — After Cross Site Scripting (XSS), the second most common web application security exploit is probably one you haven’t heard of: Cross Site Request Forgery (or CSRF for short). This little-known but very troubling web-application attack essentially hijacks a user’s browser to perform actions he or she didn’t intend--anything from ordering merchandise to sending threatening letters to the White House.

By their nature CSRF attacks are hard to prove. Unless you have a case like the Samy worm that produces a major disruption, it’s hard even to know such an exploit is out there. (The 2005 Samy worm was only discovered because it used CSRF to temporarily make the writer the most popular person on MySpace.) Unlike an XSS attack, which tricks the site into uploading malicious code, CSRF simply has the site execute legitimate commands--just not commands issued by the user.

Despite this type of attack being difficult to detect, Jeremiah Grossman, CTO at web application security vendor Whitehat Security, estimates that it’s the second most common web application attack, after XSS, and believes that it is about where XSS was a couple of years ago: Few security professionals are aware of it, but it is being increasingly exploited by computer criminals.

Here’s how it works. The attacker inserts a snippet of code--often disguised as an IMG, SCRIPT or IFRAME in HTML, or an IMAGE object in Javascript--that contains a payload of the form "http://host/?command". This code instructs the victim's browser to send a request to the target web site. If the victim is authenticated on the site or the site does not require authentication, the targeted website executes the command without further prompting.

This example won’t work if the site uses the POST command to receive information from the web browser, instead of the GET command. (Both POST and GET are HTTP commands used to request files from a web server.) But attacking a site that uses POST is only slightly more complex, with the attacker using a Javascript form in place of the simple command.

While the dangers of such attacks on sites that require authentication are obvious, even CSRFs against sites that don’t require authentication can be damaging. Grossman points out that Whitehouse.gov doesn’t require authentication, but sending a bunch of threatening e-mails to the White House is probably going to get you a visit from the FBI.

Of course, the vast majority of people who encounter the attack on a site that