Cross Site Request Forgery

These slides are prepared by Dr Umar Aftab &

later updated by Dr. Anwar Shah
Outline

❖ Cross-Site Requests
❖ CSRF Attack
❖ Counter Measures

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 2

Lab Setup

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 3

Cross-Site Request and CSRF

Understanding of CSRF attack

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 4

Single-Site Request

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 5

Single-Site / Same -site Request

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 6

Cross-Site Request
❖ Suppose a user have open two different web pages of different
websites i.e., 1) www.facebook.com 2) www.web.com. The user
is login in Facebook, and session ID is created.
❖ The web.com page have a form of facebook.com. As you fill
the facebook form on web.com. The request will send to
facebook server.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 7

Cross-Site Request Vulnerability
❖ As user send request to facebook server through web.com. The cookies of
facebook web page will automatically attached with the request. This is
not hijacking, but this is natural behaviour of browser. But web.com can
copy the session easily. So, this is vulnerability of cross-site request.

❖ Second Vulnerability:
Suppose a request is send through a webpage web.com to facebook
server. If the facebook server don’t know that where this request come
from. Then facebook server will respond to web.com page with user
data. This is also a vulnerability.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 8

Cross-Site Request Vulnerability
❖ There is a type of cookies “Session cookie”. That can attach to both sites.
❖That may cause the problem

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 9

Session Hijacking
❖ In TCP, if you will get the seq # then you can hijack the session.

❖If I put my web page on victims computer and request will go from A to
B.
❖Meanwhile, B can’t recognise the
Difference then it’s a problem.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 10

CSRF Attack on IoT devices

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 11

CSRF Attack on IoT devices
• As the IoT devices don’t have countermeasures to deal with CSRF attack.
• They use web server for their working.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 12

How to Launch CSRF Attack
❖ The attacker must know about method of http request before launch the
attack.
❖ The method can be GET or POST that can be analysis through “Http
header live” extension in Firefox browser or Wireshark.
❖ In the Get method, the data is attach in header of http request and user
can see the data in url. But in the post method, the data is attach in body
part of http request.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 13

GET and POST Request
• GET versus POST
• GET has data in the URL portion
• POST has data in the body portion.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 14

GET Request
• When browser look <img, and follow the source, it initiate a GET request.
• GET containing URL, ?, and the argument (name pair).
• Similarly for iframe

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 15

CSRF Attack on GET Services
The Objective of this attack is to add attacker as friend
victim’s friend

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 16

Add Friend Http Request
• Our job is to add ourself in someone’s friend-list without their consent.
• Alice click on add friend. We can observe the GET request.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 17

Investigate the GET method
❖ The attacker will investigate the GET method request before launch the attack.
❖Goal is to capture that traffic → we note the value of “add friend”
❖Disable the countermeasures. → if they are attached (doesn’t matter)

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 18

Investigate the GET method
❖ All we need to know is the friend’s ID
❖Randomly generated session ID granted after giving the login credentials
❖By design browser add it for us.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 19

Preparation of Forge GET Request
❖ Now attacker will prepare forge GET request in webpage with its own ID. As
victim will click on page link, forge GET request will trigger.
❖You have to play with their minds → once user will click on this the request will
be sent.
❖Victim needs to have an active session with the social media site

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 20

Demo: Lab Setup
❖ Based on lab setup 2.0
❖It is based on containers
❖The code is inside the ‘attacker’ folder

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 21

Demo: Lab Setup
❖ docker buid and it
Takes time

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 22

Demo: Lab Setup
❖ run dcup → your container starts running
❖Now check the mapping of IP
❖ run more /etc/hosts

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 23

Demo: Lab Setup

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 24

Demo: Lab Setup

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 25

Demo: Open attacker’s website

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 26

Demo:
❖ Add your code in the page so that
the friend can be added

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 27

Demo:
❖ whoever you want, just mention the ID → that person will be added in
the friend’s list.
❖Refresh the pages again and check the results

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 28

Demo: Friend added in the victim’s friend’s list

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 29

Forge the GET Request

❖ The browser trigger GET request as it see “img” or “ifram” tag in HTML.
❖ Attack on GET Http request is easy. Because data is attached in header of
Http request or url.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 30

Mechanism (Forge the GET Request)

❖ Suppose Alice and Samy(Attacker) are two user on social network like
Facebook.
❖ Samy want to add Alice in his friend list without Alice permission.
❖ The Alice user is login in her account and her session ID is created.
❖ Samy will send url of webpage to Alice that contain forge GET request
with Samy profile ID.
❖As Alice click on link, the browser will trigger http GET request. The
session ID of Alice will attach with request automatically.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 31

Reaction of CSRF GET Method Attack

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 32

 CSRF Attack on POST
Services
The Objective of this attack is to edit the victim profile

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 33

Edit Profile Http Request

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 34

Investigate the POST method
❖ The attacker will investigate the POST method request before launch the attack.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 35

Sending POST Request
❖ The POST request will send in forms because objective of attack is edit
the victim profile.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 36

Preparation of Forge POST Request
❖ Now attacker will prepare forge POST request in webpage with victim
ID. As victim will click on page link, forge POST request will trigger.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 37

Sending POST Request
❖ A typical way to generate POST requests is to use HTML forms. The
following HTML code.
❖The following code defines a form with two text fields and a Submit
button; each entry 's initial value is also Provided.

❖If a user clicks the submit button, a POST request will be sent out to URL
http://www.example.com/action_post.php , with " to=3220&amount=500 "
being included
NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 38
Preparation of Forge POST Request
❖Obviously, if the attacker just presents this form to a victim, the victim
will probably not click the submit button, and the request will not be
triggered. To prevent that, we can write a JavaScript program to click the
button for the victim .

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 39

 Preparation of Forge POST Request
❖Dynamically creates a form (Line 1), with its entries being specified by the fields string,
and its type being set to POST. It should be noted that the type of each form entry is
hidden, indicating that the entry is invisible to users.
❖After the form is constructed, it is added to the current web page (Line (2).
❖Eventually the form is automatically submitted when the program calls p. submit () at
Line (3).
❖The JavaScript function forge _post () will be invoked automatically after the page is
loaded due to the code at Line 4.
❖window.onload is an event handler in JavaScript that specifies a function to be executed
when the entire web page (the HTML document and all its related resources like images
and stylesheets) has finished loading.
❖JavaScript function forge_post() will be invoked automatically after the page is loaded.
It is explicitly called in your JavaScript code or you have set up an event listener to
trigger it when a specific event occurs, like a button click or form submission. 40
Mechanism (Forge the POST Request)

❖ Suppose Alice and Samy(Attacker) are two user on social network like
Facebook.
❖ Samy want to edit Alice profile without Alice permission.
❖ The Alice user is login in her account and her session ID is created.
❖ Samy will send url of webpage to Alice that contain forge POST request
with Alice profile ID.
❖As Alice click on link, the browser will trigger http POST request. The
session ID with attach automatically.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 41

Reaction of CSRF POST Method Attack

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 42

 Countermeasures

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 43

Fundamental Cause

❖ The browser knows that the http request is single-site or cross-site. But
server don’t know. This is vulnerability, because protected shield must lie
on server side not at browser side.
❖ Referral Header:
The referral header tells to server that where the request come from. But
referral header carry many user information that can hit user privacy. So,
many users block referral header by proxy.
So, referral header is not reliable solution.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 44

Secret Token

❖ The server attach secret token with each webpage to know about request
that it is single-site or cross-site.
❖ The tokens are string of special characters. The property of token is
hidden so that malicious user can not steal it.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 45

Secret Token

❖ The developer can generate token inside page dynamically as follows:

❖ Http Request with Token:

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 46

Token Approach in IoT

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 47

Same-Site Cookies
❖ As request will send to Facebook server from webpage of web.com. The
cookies of facebook.com will attached with request automatically.
❖ The problem is that the Facebook server can’t recognize that request is
come from Facebook webpage or web.com webpage.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 48

Setting Cookies and its types
❖ The simple cookies are attached with cross-site request.
❖ Lax cookies are sometime attached with cross-site request and sometime
not (depend upon developer).
❖ The strict cookies only attach with same site request.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 49

Case Study: Elgg's Countermeasures
❖In the countermeasure, Elgg embeds two secret values, __ elgg_ts and __
elgg_token, in all its pages.
❖The values are stored inside two JavaScript variables and also in all the
forms where user action is required. The following form example shows
that two new hidden parameters _el gg_ts and __ elgg_token are added to
the form, so when the form is submitted via an HTTP request, these two
values will be included in the request.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 50

Case Study: Elgg's Countermeasures
❖Elgg also stores the secret values in two JavaScript variables.
❖so their values can be easily accessed by the JavaScript code on the same
page.
❖Elgg's security token is a MDS digest of four pieces of information: the
site secret value, timestamp, user session ID, and a randomly generated
session string. It will be difficult for attackers to guess this value.
❖Before processing each request, Elgg validates the token attached in the
request. If the token is not present or invalid, the request will be denied.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 51

Case Study: Elgg's Countermeasures
❖To turn on the countermeasure, we need to go to the /var/www/CSRF
/Elgg/vendor /e lgg/ elgg/ engine/ classes/Elgg folder and find the function
gatekeeper () in the ActionsService .php file. In this function , comment
out the "return true " statement in the first line. This statement is added by
us to disable Elgg's countermeasures.
❖Basically, we force this gatekeeper function to always return true, letting
all requests to pass the check.

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 52

NATIONAL UNIVERSITY OF COMPUTER & EMERGING SCIENCES 53