Threat Watch: Cross Site Request Forgery (CSRF)
Why a little-known web application vulnerability could cause big problems
By Rick Cook
December 20, 2007
—
CSO
—
After Cross Site Scripting (XSS), the second most common web application security exploit is probably one you haven’t heard of: Cross Site Request Forgery (or CSRF for short). This little-known but very troubling web-application attack essentially hijacks a user’s browser to perform actions he or she didn’t intend--anything from ordering merchandise to sending threatening letters to the White House.
By their nature CSRF attacks are hard to prove. Unless you have a case like the Samy worm that produces a major disruption, it’s hard even to know such an exploit is out there. (The 2005 Samy worm was only discovered because it used CSRF to temporarily make the writer the most popular person on MySpace.) Unlike an XSS attack, which tricks the site into uploading malicious code, CSRF simply has the site execute legitimate commands--just not commands issued by the user.
Despite this type of attack being difficult to detect, Jeremiah Grossman, CTO at web application security vendor Whitehat Security, estimates that it’s the second most common web application attack, after XSS, and believes that it is about where XSS was a couple of years ago: Few security professionals are aware of it, but it is being increasingly exploited by computer criminals.
Here’s how it works. The attacker inserts a snippet of code--often disguised as an IMG, SCRIPT or IFRAME in HTML, or an IMAGE object in Javascript--that contains a payload of the form "http://host/?command". This code instructs the victim's browser to send a request to the target web site. If the victim is authenticated on the site or the site does not require authentication, the targeted website executes the command without further prompting.
This example won’t work if the site uses the POST command to receive information from the web browser, instead of the GET command. (Both POST and GET are HTTP commands used to request files from a web server.) But attacking a site that uses POST is only slightly more complex, with the attacker using a Javascript form in place of the simple command.
While the dangers of such attacks on sites that require authentication are obvious, even CSRFs against sites that don’t require authentication can be damaging. Grossman points out that Whitehouse.gov doesn’t require authentication, but sending a bunch of threatening e-mails to the White House is probably going to get you a visit from the FBI.
Of course, the vast majority of people who encounter the attack on a site that
In-depth information on tools and strategies for writing secure code, finding vulnerabilities, and other critical application security issues
10 steps to secure browsing
Holistic patch management, browser settings, filtering, and other tactics
Vulnerability management: The basics
5 key tenets for making the most of vulnerability management efforts
Software security for developers
Building security in, from the requirements phase through deployment
Software security for app dev managers
Building and managing a software security program that pays off
How to use source code analysis tools
Database security: At rest, not at risk
How to compare patch management software
Ranum: Does disclosure work?
- Security Analytics Video
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Mandiant's APT1: Revisited
The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby - Attacks from China: A survival guide
- #FFSec: Infosec pros who bring value to Twitter
More Salted Hash with Bill Brenner
