CSRF: High-Tech Hypnotism

[https://www.hobbyconsolas.com/noticias/simpson-lanzaran-episodio-escrito-hace-mas-20-anos-homer-cree-ser-nino-105672]

Who are you CSRF?
Cross-Site Request Forgery is known as CSRF in short. This is an attack that tricks an end-user to perform unintended tasks on a web application in which they are currently authenticated. The malicious tasks that the victim performs will be based on the attacker's interest. This is something similar to a hypnotist hypnotizing another individual to do something according to the hypnotist's wish. CSRF attacks are also known as Session Riding, XSRF, Sea Surf, and Hostile Linking. Microsoft name these types of attacks as "One-Click Attacks".

What really happens in CSRF?
CSRF attack is not something like stealing someone's session cookie and viewing their profile or updating their status and playing around with it. This attack is not about the data but rather changing the state and make the end-user do some malicious tasks on behalf of the attacker's interest. A typical example would be making the victim to transfer money from the victim's account to the attacker's account without the knowledge of the victim. Let's take a look at the following example:
Fig 1 - CSRF Attack in an online banking application

The main 2 steps in a CSRF attack are:
a. Make the end-user click on the malicious link that the attacker sends.
b. Create a link to fulfill the attacker's goal that looks like a legitimate request which will be sent to the genuine website with the appropriate cookie.

Steps in detail:
1. End-user access the ABC bank's website through its URL, abcbank.com and logs in by providing the credentials.

2. The application will authenticate the user and if it is a valid user the app will return a cookie which will be stored in the browser.

3. Meanwhile, the attacker will prepare a link which will transfer the money from end-users account to the attacker's account. Using the social engineering techniques the attacker will make the end-user to click on the link in order to achieve the attacker's goal.

4. When the end-user clicks on the link sent by the attacker, the link will be redirected to the money transferring page along with the matching cookie. This is done without the intention of the end-user.

5. Since the cookie is a legitimate cookie the app considers this to be a valid request and completes the request by sending the money from end-user's account to the attacker's account.

The following images illustrate the actual money transfer between the end-user's account and the attacker's account. 

Fig 2 - Money transfer between end-user's account and the attacker's account

As you can see in Fig 2 once the end-user click on the link provided in the attacker's account the script in that particular site which will have the attacker's preferred values and actions that will trigger the money transfer activity and abcbank.com will transfer the money to the attacker's account.

Fig 3 - HTML form for the attacker's site

Fig 4 - The corresponding web page for the code provided in Fig 3

This is one of the examples of CSRF attack in real life.  The intention of CSRF is not to capture the data but instead to make use of the privilege level of the authenticated user and achieve the goals of the attacker.

Social Engineering in brief
Social engineering is a way of taking advantage on human qualities to fulfill the attacker's goal. Just as we protect our machines from malware we should protect ourselves from social engineering. Some common example of social engineering is phishing, scams, pre-texting, baiting, etc.

Some social engineering recommendations:
1. Do not open mails from untrusted sources
2. Do not accept offers from strangers
3. Lock your machines
4. Use anti-virus software

CSRF Prevention mechanisms
Though there are so many CSRF prevention mechanisms two of the followings plays a huge role in it.
1. Synchronizer token pattern
    This is also known as an Anti-CSRF token. This is to make use of a token additionally added to the cookie passed with each request to protect the request.

2. Double submit cookie pattern
    This cookie can only be sent if the request is made from the same origin as the cookie is being sent from.

More useful blogs on CSRF prevention mechanisms will be coming soon. Till then try out these concepts and have a secure coding day.

Comments

Popular posts from this blog

Hashing... First Step to Secure Software Programming

Encryption to take secure programming a step forward

RMI - Weather station