Prevent Crosssite Request Forgery CSRF

Ever surprised of an action you have performed without your notice? Receiving a payment confirmation of 400$ from ebay since you have viewed a post for pen drive sale on ebay once. A Cross Site Request Forgery(CSRF) Attack can make you embarrassed. CSRF is an attack that forces user to perform an action which he is authorised to do, without his intention.

In the above case, attacker has injected malicious URI into the pen drive post, so that when a user viewed the post, he is forced to place the bid. He can inject into image tag or a iframe tag. In this case, GET request in the malicious URI caused the problem. Even if web application do not allow such operations with GET request, Attacker can still exploit by causing a POST request submission by Javascript injection. This attack was successful due to improper sanitisation of attackers post on the website. It is easily observed that most of the vulnerabilities are due to improper sanitisation of user input.

Even this attack can occur when the user visits a malicious site constructed by attacker that will load and executes malicious URI embedded in it submitting user’s credentials to a users trusted site. Such attempts can be prevented by referrer checking, where trusted site will check if the origin of the request is same as that site (same origin policy). Although Referrer headers can be spoofed using XMLHTTP object, it adds some layer of protection.

CSRF attacks are successful against web applications that use implicit authentication. To protect from such attacks, web applications should implement POST only (although it does not completely resolve), Request Verification (such as CAPCHA), Request tokens. At the server side, web application firewall (such as modsecurity) has to be implemented to counter these CSRF attacks. Proper sanitation of user input has to be implemented on web application. On client side, browser addons such as CSRF Protector on Mozilla would help stay protected from these attacks.

Advertisements

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s