Hacking websites using Cross Site Request Forgery(CSRF).

What is CSRF?

CSRF is one of the lesser known attacks against websites. In a nutshell CSRF allows you to make a user perform an action on a website without their knowledge. Say you are logged into a forum and it is vulnerable to CSRF. An attacker could send you a link to a completely unrelated website, but within the source code of the attackers website is the code to change the users password on the forum they are logged into.

How does this happen?

CSRF is possible when a website is using only cookies to manage a session. The "same-origin" functionality incorporated into HTTP still allows requests from another website but will not send any data back. This one way functionality is enough to perform simple once off tasks. So we can still change passwords and update accounts but will not see any response. This is fine because we do not need the response anyway. We just need to submit the criteria and submit the form. The victim must also be logged into the website for this to work. Because they are already logged in and our code sends them to the website, we do not need their password. There session cookie lets them in without needing to re-enter the password. 

The Attack

For this attack I will be using Mutillidae and burp suit for the interception proxy as usual. You can download it from http://sourceforge.net/projects/mutillidae/  

I will be using the Register account form in Mutillidae.

  

What we need to do is basically recreate the form for registering a user. We can do this by either checking the source code or my preferred way of capturing the request in an interception proxy. 

As you can see when submitting the form you can see the form fields we are required to create:

So now we simply have to recreate this form and submit it with some simple javascript like so:

Now we just send the victim a link to this page and the result is this:

This is a super simple proof of concept. Most times you will either have a meta tag redirect to another page or simply have this page load off screen while displaying another page within the users view.

Think about if this was sent to an administrator. Or if it was a change password form or a confirm bank transfer...

Prevention

Protecting against this attack is usually just a matter of providing anti-csrf tokens that are issued to the user and submitted with each form submission. This way in order for an attacker to perform the attack they need the anti-csrf token along with the other form data. Without the token the form will not submit. While there are ways to get the token such as XSS and some multi stage attacks, as long as the tokens are issued correctly CSRF attacks can be rendered impossible.