CIS 6614 meeting -*- Outline -*- * Cross-Site Request Forgery (CSRF or XSRF) Based on notes by Suman Jana, which are based on slides by John Mitchell Also: Rupali D. Kombade, B.B. Meshram. "CSRF Vulnerabilities and Defensive Techniques", IJCNIS, vol.4, no.1, pp.31-37, 2012. DOI: 10.5815/ijcnis.2012.01.04 ** background on the attack It's a kind of "confused deputy" attack in that browser acting on behalf of user sends cookie along to authenticate injected response *** use of cookies for authentication ------------------------------------------ SESSIONS USING COOKIES Browser Server [] POST/login.cgi [] [] ---------------->[] [] [] [] set-cookie: authenticator [] <--------------- [] [] [] [] GET: Cookie: authenticator []----------------> [] [] [] [] response [] [] <--------------- [] ------------------------------------------ the cookie is passed to the server as an authentication mechanism *** example of attack ------------------------------------------ ATTACK EXAMPLE 1. User logs in to bank.com - Session cookie remains in browser 2. User visits another site with
... 3. Browser sends user auth cookie with form submission 4. Transaction will be fulfilled Problem: ------------------------------------------ Q: Why is the transaction fulfilled? Because the cookie is still there and authenticates the user ... cookie authentication is insufficient when there are effects (e.g., for POST) Q: Is the attacker's page/script part of the original session? No, but cookies are global to browser (one per user) Q: Do you ever stay logged in to a website while browsing? (Many people do!) ------------------------------------------ HTML TAGS USED IN CSRF ATTACKS from Kombade and Meshram 2012 (table 1): Tag Exploit example ======================================== body img input link table iframe