Cross-site request forgery is an attack in which an attacker coerces a user to perform an action the user did not intend to, on a server the attacker has no control over.
For this reason, cross-site request forgery (or CSRF) is often referred to as a drive-by attack. As a user drives by an attacker-controlled site, their browser is told to do things on a different, target website. When you visited the exploited page, JavaScript posted a transfer request to your website. In 2013 a CSRF attack on Facebook could let an attacker take over a user's account by targeting Facebook's email change functionality. CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, and Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.
Cross-site scripting in number 1 vulnerability in the web, if you writing software you should know this. Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
Here is a quick demo on how to discover injection and tools to fix the vulnerability.
You can earn money with this attack, something around $12,000 that can be paid by big fish websites like Facebook.com or others. Check out the video for more detailed explanation how it is working: Cracking Websites with Cross Site Scripting - Computerphile
In order to avoid this vulnerability, sites should require anti-forgery tokens in every POST request. At the same time, any action that affects a user should be sent as a POST request. To check for CSRF, look for requests to the server that can be repeated or cause the same action or do not contain information that is unobtainable by an attacker.
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (Funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
- #TOP 1 attack in the web: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
- #TOP 2 attack in the web: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
- #TOP 3 attack in the web: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.
1. Injection Flaws (e.g., SQL, Command Injection):
- Prevention: Sanitize all input data. Use parameterized queries and prepared statements when interacting with databases. Regularly update and patch your systems and software to fix vulnerabilities.
- Tools: Use automated security scanning tools to detect injection flaws.
2. Broken Authentication:
- Prevention: Implement multi-factor authentication (MFA) and ensure that passwords are stored securely using hash functions. Session management should be secure, with timeouts and proper handling of session tokens.
- Tools: Security frameworks and libraries can help manage authentication securely.
3. Sensitive Data Exposure:
- Prevention: Encrypt sensitive data in transit and at rest. Apply access controls rigorously to ensure only authorized users can access critical data.
- Tools: Use encryption tools and services, and conduct regular access audits.
4. XML External Entities (XXE):
- Prevention: Disable external entity processing in XML parsers. Use simpler data formats such as JSON, and patch or update XML processors and libraries regularly.
- Tools: Static analysis security testing (SAST) tools can detect XXE vulnerabilities.
5. Broken Access Control:
- Prevention: Implement least privilege principles. Regularly review and update access controls. Ensure that users can only access the data and actions that are necessary for their role.
- Tools: Access control testing tools and regular security audits can help identify and mitigate issues.
6. Security Misconfiguration:
- Prevention: Regularly update and patch systems. Remove unnecessary services and default accounts. Ensure proper security settings in application frameworks and servers.
- Tools: Configuration management tools and security scanners can help identify misconfigurations.
7. Cross-Site Scripting (XSS):
- Prevention: Sanitize all user input to ensure that HTML, JavaScript, and other content is not executable. Use Content Security Policy (CSP) headers to reduce the risk of XSS.
- Tools: Automated tools can help identify potential XSS vulnerabilities in web applications.
8. Insecure Deserialization:
- Prevention: Avoid deserializing data from untrusted sources. Implement integrity checks and use secure serialization libraries.
- Tools: Deserialization vulnerability scanning tools can help detect risks.
9. Using Components with Known Vulnerabilities:
- Prevention: Regularly inventory and update third-party libraries and components. Use software composition analysis (SCA) tools to identify and replace vulnerable components.
- Tools: SCA tools and vulnerability databases can help track component vulnerabilities.
10. Insufficient Logging and Monitoring:
- Prevention: Implement comprehensive logging and real-time monitoring. Set up alerts for suspicious activities to detect and respond to incidents promptly.
- Tools: Security information and event management (SIEM) systems, log management tools, and intrusion detection systems (IDS) can aid in effective monitoring.
General Best Practices:
- Education and Training: Regularly train employees on security best practices and awareness.
- Penetration Testing: Regularly conduct penetration testing to identify and mitigate vulnerabilities.
- Incident Response Plan: Develop and regularly update an incident response plan to ensure quick and effective action in case of a security breach.
By addressing these common security vulnerabilities with the appropriate strategies and tools, organizations can significantly strengthen their defense against cyber threats. Remember, security is an ongoing process that requires vigilance, regular updates, and a culture of security awareness.
References
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)
https://en.wikipedia.org/wiki/Cross-site_request_forgery
Security vs Privacy
Summary
As seen in the above scenarios, the CSRF is no longer an issue that can be neglected in today‟s web application arena. The CSRF armed with the HPP (HTTP Parameter Pollution) attack vector can even bypass web browser-based filter, web firewall, and defense employed in applications. Tools used to identify and prepared CSRF are readily available. Make sure that you patch security holes and check for most common attacks.
