melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951 melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

View
 

melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951 "lost Come Wanjiru 0721 160 730 mynameisadnah… Id 718 And lzncwtyk2l" Mwangih Njoki

Page history last edited by 9 years, 5 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-9

 

Cross-Site Request Forgery

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) [9] exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

 

CSRF attacks are effective in a number of situations, including:

  • The victim has an active session on the target site.
  • The victim is authenticated via HTTP auth on the target site.
  • The victim is on the same local network as the target site.

 

CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered [5] to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.

 

Example

In order to forge a HTTP request, an attacker typically profiles the target site first, either by reviewing the HTML source or by inspecting the HTTP traffic. This helps the attacker determine the format of a legitimate request; the forged request is meant to mimic a legitimate request as closely as possible.

Consider a web site that allows users to configure their web-based email account to forward all incoming email to an alternative address:

Email:

melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951 "lost Come Wanjiru 0721 160 730 mynameisadnah… Id 718 And lzncwtyk2l" Mwangih 

 

An attacker can deduce from viewing this HTML source or by using this form that a legitimate request will have a format similar to the following:

POST /account/edit HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Cookie: PHPSESSID=1234

melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951 "lost Come Wanjiru 0721 160 730 mynameisadnah… Id 718 And lzncwtyk2l" Mwangih  

melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951 "lost Come Wanjiru 0721 160 730 mynameisadnah… Id 718 And lzncwtyk2l" Mwangih chris%40example.tld

 

melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951 "lost Come Wanjiru 0721 160 730 mynameisadnah… Id 718 And lzncwtyk2l" Mwangih If an attacker could forge such a request from another user, it's possible that the attacker could begin receiving all of the victim's email. A popular technique is to use JavaScript to submit a form that consists of hidden fields. If the target of the form is a hidden IFrame, the response is hidden from view. The following example demonstrates this:

 




 

This malicious payload can be hosted on another web site the victim visits, or on the same site. Popular approaches for deploying malicious payloads include via banner ads, via cross-site scripting flaws, or via other means.

If the intent is to forge a GET request, a popular technique is to use an embedded resource such as an image as the malicious payload:

 
               
 

The key to understanding CSRF is to realize that only the request matters, and there are a variety of techniques that can be used to forge requests.

 

Public Incidents

Digg Exploit, 06 Jun 2006, Anonymous,

http://4diggers.blogspot.com/

 

Google Mail Exploit, 01 Jan 2007, Alex Bailey,

http://cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/

 

Amazon Exploit, 15 Mar 2007, Chris Shiflett,

To Driver U On License… License Id Twitter Fl Fake Choose Quarity How Florida High With "tell "

 

 

References

"Cross Site Reference Forgery: An introduction to a common web application weakness"

[1]http://www.isecpartners.com/documents/XSRF_Paper.pdf

 

"Cross-Site Request Forgeries", Peter Watkins

[2] http://tux.org/~peterw/csrf.txt

 

Radio Id Fed Texas To With States Scramble Public Cards Comply

"Security Corner: Cross-Site Request Forgeries", Chris Shiflett

[3] http://shiflett.org/articles/cross-site-request-forgeries

 

"The Cross-Site Request Forgery FAQ", Robert Auger

[4] http://www.cgisecurity.com/articles/csrf-faq.shtml

 

"JavaScript Hijacking", Brian Chess, et al.

[5]

 

"Cross-Site Request Forgery: Looking at Devices", Daniel Weber

[6] http://labs.calyptix.com/csrf-tracking.php

 

"Cross-Site Request Forgery (CSRF)", Web Hacking Incidents Database

[7] http://webappsec.org/projects/whid/byclass_class_attack_method_value_cross_site_request_forgery_(csrf).shtml

 

"Cross-Site Request Forgeries: Exploitation and Prevention", William Zeller and Edward Felten

[8] http://freedom-to-tinker.com/sites/default/files/csrf.pdf

 

Cross-Site Scripting Section

[9] http://projects.webappsec.org/Cross-Site-Scripting

 

"Cross-Site Request Forgery", Wikipedia

[10] http://en.wikipedia.org/wiki/Cross-site_request_forgery

melody By Found Https Let Call Or His Id patadocument t Twitter Gatheru Name co Collect 0736 Him On 951 "lost Come Wanjiru 0721 160 730 mynameisadnah… Id 718 And lzncwtyk2l" Mwangih  

Cross-Site Request Forgery (CSRF)

[11] Uk Id Myfakeid - Fake By Identification Cards biz

Comments (0)

You don't have permission to comment on this page.

 
“LOST ID: Name:Melody Njoki Gatheru Found by #Patadocument Let him call 0736 951 730 OR 0721 160 718 and come collect his ID #MyNameIsAdnah”Wanjiru Mwangih on Twitter: "LOST ID: Name:Melody Njoki Gatheru Found by #Patadocument Let him call 0736 951 730 OR 0721 160 718 and come collect his ID #MyNameIsAdnah… https://t.co/lZNCWTYK2l"