Skip to content

Instantly share code, notes, and snippets.

@byelipk

byelipk/csrf.md

Last active July 5, 2017 21:02
Show Gist options
  • Save byelipk/1f355be5157e774805b226b0b4441690 to your computer and use it in GitHub Desktop.
Save byelipk/1f355be5157e774805b226b0b4441690 to your computer and use it in GitHub Desktop.
Download ZIP
CSRF Study Notes
Raw
csrf.md

What is a CSRF?

This attack works by including malicous code, usually a link, in a website that accesses another site the user is believed to be authenticated with. If that user session is still authenticated, the attacker may execute unauthroized commands.

Most web applications store session data in a cookie. Browsers will automatically send the cookie on every request to a domain, if it can find the cookie for the domain. The catch is that if the request comes from a different domain, the browser will still send along the cookie.

What should I know about an authenticated request?

Know that...

  1. Authenticated state is usually persisted by an auth cookie.
  2. The auth cookie is sent to the web server on each request
  3. The website can then lookup and authorize the user for the current session

CSRF begs the question, "What if I could get the user to make a request they didn't intend to make?"

By "user," I don't mean the actual person interacting with the website; I'm referring to the browser. We could cause a lot of damage if we had the browser use the auth cookie to make requests to the website the user wasn't even aware of. 😟

How do I prevent a CSRF attack?

First, respect the proper use of GET and POST https verbs.

Second, add a security token in non-GET requests to ensure the it's coming from the same origin as the web application.

OK, so how would I initiate a CSRF attack?

CSRF attacks usually take a little bit of social engineering to kick off. One method would be to construct a link to a website we control from which we'll launch the attack.

Know of any websites where users post a lot of links?

Once a user clicks that link, they will be taken to your site. At that point it's up to you how to launch the CSRF attack.

One way might be to have a submit button inside a form. When that button is clicked, the form makes a request to the targeted website.

<form action="POST" target="hiddenFrame" action="http://www.example.com/account/destroy">
  <input type="submit" value="Click me">
</form>

<iframe name="hiddenFrame" style="display: none;"></iframe>

Note that the target attribute specifies a name or a keyword that indicates where to display the response that is received after submitting the form.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment