Cross-Site Request Forgery (CSRF) is a major web vulnerability that forces users to perform unintended actions on websites. It remains underreported due to the difficulty of detection. CSRF can be used to hijack user accounts, modify browser settings, and force purchases without user awareness or consent. While solutions like tokens exist, many websites remain vulnerable to CSRF attacks.

1. Cross-Site Request Forgery “The Sleeping Giant of Website Vulnerabilities” Jeremiah Grossman | WhiteHat Security | 04/09/08 | Session Code: HT1-20304

3. Symantec Qualys Nessus nCircle WhiteHat Security “ well-known” vulnerabilities Vulnerability Stack Focus on “custom web applications”

5. The big 3! Cross-Site Scripting (XSS) - forcing malicious content to be served by a trusted website to an unsuspecting user. Cross-Site Request Forgery (CSRF) - forcing an unsuspecting user’s browser to send requests they didn’t intend. (wire transfer, blog post, etc.) JavaScript Malware - payload of an XSS or CSRF attack, typically written in JavaScript, and executed in a browser.

6. What's in a name? 2000 Client-Side Trojans Zope discovers Web version of Confused Deputy Cross Site Request Forgery Peter Watkins discovers Client-Side Trojans, CSRF, pronounces it "sea surf" 2001 Session Riding Thomas Schreiber discovers CSRF, writes a white paper, changes the name 2004 XSRF Jesse Burns (iSec), writes a white paper, likes this acronym better 2005 Intranet Hacking WhiteHat Security discovers JavaScript can use CSRF to perform browser port scanning 2006 MITRE CVE Trends Says CSRF is under reported and predicts stats increase 2007 OWASP CSRF CSRF added as #5 on the OWASP Top Ten project 2007 Domain Stealing CSRF used to hi-jack Gmail accounts and take control over domain names 2007 Drive-by-Pharming CSRF used to target DSL Routers to modify DNS settings to a popular bank in Mexico. 2008 1988 Confused Deputy Original CSRF theory Samy Worm Web Worm infects 1 millon MySpace profiles using XSS/CSRF 2005 Cross-Site Request Forgeries Session Riding Client-Side Trojans Confused Deputy Web Trojans Confused? Timeline

7. How prevalent is CSRF? No statistics exist, no one can scan for it, and nearly all issues are found by hand

10. The Anatomy of a CSRF Attack A user is logged-in to a Web bank with a “Transfer Funds” feature. After specifying the “From” account, “To” account, and dollar amount, the user clicks the “Continue” button. Let’s say the “From” account is “314159265,” the “To” account is “011235813,” and we’re transferring $5,000. The Web browser issues an HTTP request to the Web server executing the process. The form values are located within the POST body and the session credential (Cookie) in the headers. If the request was successful, $5,000 would be transferred from account “314159265” to account “01123581.” POST http://webbank/transfer_funds.cgi HTTP/1.1 Host: webbank User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O;) Firefox/1.4.1 Cookie: JSPSESSIONID=4353DD35694D47990BCDF36271740A0C from= 314159265 &to= 011235813 &amount= 5000 &date=11072006

11. POST is NOT a Solution Many Web applications, such as transfer_funds.cgi, do not distinguish between parameters sent using GET or POST. Transfer Funds could be initiated using GET. In Figure 3, the POST method is replaced by GET and the parameters in the HTTP body have been added to the query string. GET http://webbank/transfer_funds.cgi? from= 314159265 &to= 011235813 &amount= 5000 &date=11072006 HTTP/1.1 Host: webbank User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;) Firefox/1.4.1 Cookie: JSPSESSIONID= 4353DD35694D47990BCDF36271740A0C Converting POST to GET is not required, JavaScript can issue POSTs through Web Forms.

12. The Hack When bank customers are still logged-in, they may stumble across a Web page containing the HTML. A customer may find this link in a phishing email, message board post, instant message spam, etc. The SRC attribute of the IMG tag has a similar URL value to that of Figure 3, but has been updated with another account number. <IMG SRC= http://webbank/transfer_funds.cgi? from= 314159265 &to= 1618 &amount= 5000 &date=11072006> The IMG tag forces a “forged” request and if the customer is still logged-in, $5,000 from account “314159265” will be sent to account “1618,” belonging to the hacker . To the online bank the request completely legitimate. CSRF attacks succeed because the customer is the one who is actually making the request by automatically sending the session credentials (cookies).

13. CSRF Can and Can Not Do Can: Force a user to make any HTTP request to anywhere. Can’t: Read the web page that is returned in the browser. attacker.com attacker.com Same-Origin Policy bank.com Read OK Read Error

17. Attacks can penetrate the intranet by controlling/hijacking a user’s browser and using JavaScript Malware, which is on the inside of the network. Intranet Hacking

18. Cross-Site Scripting (Printer Spamming) “ By using only JavaScript, an Internet web site can remotely print to an internal network based printer by doing an HTTP Post. The web site initiating the print request can print full text, enter PostScript commands allowing the page to be formatted, and in some cases send faxes. For the attack to succeed the user needs to visit a web site that contains this JavaScript. ” - Aaron Weaver <img src=”myprinter:9100/Printed_from_the_web”>

22. XSS vulnerabilities bypass all CSRF protections

26. For more information visit: www.whitehatsec.com Jeremiah Grossman, founder and CTO blog: http://jeremiahgrossman.blogspot.com email: jeremiah@whitehatsec.com Thank You!

27. References The Cross-Site Request Forgery (CSRF/XSRF) FAQ http://www.cgisecurity.com/articles/csrf-faq.shtml The Confused Deputy - Original Cross-Site Request Forgery Theory http://www.cap-lore.com/CapTheory/ConfusedDeputy.html Zope discovers a Web version of the Confused Deputy, calls it Client-Side Trojans http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan Peter Watkins discovers Client-Side Trojans, calls it (CSRF, pronounced &quot;sea surf&quot;) http://www.tux.org/~peterw/csrf.txt Thomas Schreiber discovers CSRF, doesn't like the name, calls it Session Ridinghttp://www.securenet.de/papers/Session_Riding.pdf Jesse Burns discovers CSRF, doesn't like the acronym, changes it to XSRF.http://www.isecpartners.com/files/XSRF_Paper_0.pdf Intranet Hacking from the Outside and JavaScript Port Scanninghttp://jeremiahgrossman.blogspot.com/2006/09/video-hacking-intranet-websites-from.html MITRE - Vulnerability Type Distributions in CVE http://cve.mitre.org/docs/vuln-trends/index.html OWASP Top Ten 2007 http://www.owasp.org/index.php/Top_10_2007-A5