Hi,

I searched about CSRF attack,I watched many tutorial video ( all of them like each other).I can't understand the CSRF.
please guide me about CSRF.

Hi,

CSRF is an attack where the attacker interacts with a web application or website not directly by sending an HTTP request to the server, but indirectly by making a victim user send that request. The victim is somebody who the web application trusts, for example it could be a user who is logged in at the website at the moment of the attack.

For example, a user of some CSRF vulnerable social networking website may have some kind of guestbook page, which allows visitors to hotlink sparkling animated gif images or jpeg files from other websites. Some evil visitor may hotlink an image of a lovely unicorn from a server which is under his control. As soon as the image has been hotlinked, he will change the server configuration in such a way that instead of delivering an image of a nice unicorn it will redirect to the logout page of the social network site. Now every user who is currently logged in at the site and visiting the guestbook will be logged out as if they had clicked on the "log out" link.

thanks
you mean, csrf attack can be occure when user log-in to a website?

Hi,

the victim user should be someone who the website "trusts". If the user has an account and is logged in, the website can recognize this particular user, maybe because a cookie has been written - the cookie is there after the login of the user. That is just one possibility. And of course the website must be vulnerable to CSRF for the attack to work.

As an attacker we do not necessarily have an account on the website. We are not among the people which the websites "trusts". But maybe somebody else hotlinks an image from our website inside some forum or guestbook page - and suppose we don't like that and we are nasty - then we could redirect users instead of delivering an image on request. Or we put a link into an email and ask the user to click it (social engineering).

If the website is vulnerable and admits users to perform certain actions through GET requests, like changing the user password, we can use the redirect trick to lock users out of their account. Look at this URL:

http://example.com/forum/change-pass.php?newpasswd=12345

This time the user is not logged out of the website, but his password has been changed to something the attacker knows - but maybe the user doesn't even know this, because he has not visited the "change password" page, filled in "12345" into a form and hit the "change" button to submit the form - this went on behind the scenes. We made him send that request.

Maybe it helps to understand CSRF attacks, if you look at some of the techniques used to defend a website agaist CSRF attacks. For example, if the "log out" link is not just some ordinary link but a form submit button, it could transmit an hidden parameter back to the server, a token, which will tell the server that the request to log out was legitimate - requesting the log out page through the hotlinked image redirect or through a link in an email does not work anymore, the token is missing. An example of a CSRF token is given in this article:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

I like the overview explanation of CSRF from the OWASP website:

"CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application."

Source: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

ok thanks


i read owasp, but i wanna test it on a login page that i don't register in it.
i scaned the page by acuntix and it showed it has a csrf vuln.
now, how can i use this vulnerability?
i think till i don't register on it, i can't exam it.can i?
and i don't want to use social engineering.



Edited 1 time(s). Last edit at 08/04/2012 06:00AM by mpour.

EDIT: Cancel that.



Edited 1 time(s). Last edit at 09/24/2012 05:34PM by Juggernaut.