Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "CSRF"

From NetSec
Jump to: navigation, search
(Example)
 
(15 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
{{expand}}
 +
 
<b>C</b>ross-<b>S</b>ite <b>R</b>eferral <b>F</b>orgery  
 
<b>C</b>ross-<b>S</b>ite <b>R</b>eferral <b>F</b>orgery  
  
=Synopsis=
+
== Synopsis ==
  
CSRF can occur when a web form does not properly check its [[HTTP referrer]] information to ensure that a browser came from its own site.  This can be especially dangerous to users of a site with a form like this.  CSRF is likely one of the most prominent vulnerabilities today.   
+
CSRF can occur when a web form or action URL does not properly check its [[HTTP referrer]] information to ensure that a browser came from its own site.  This can be especially dangerous to users of a site with a form like this.  CSRF is likely one of the most prominent vulnerabilities today.   
  
 
The result of a successful CSRF attack is performing actions in the context of a user's session.  If a user is logged into one site, and clicks a link to another, the other site's code may control what the logged-in user does on the original site.
 
The result of a successful CSRF attack is performing actions in the context of a user's session.  If a user is logged into one site, and clicks a link to another, the other site's code may control what the logged-in user does on the original site.
  
=Example=
+
== Example ==
  
 
The following html may display a broken image:
 
The following html may display a broken image:
 +
{{code|text=
 +
<source lang="html4strict">
 +
<img src="http://domain.tld/logout.php">
 +
</source>
 +
}}
 +
If a user logged into '''domain.tld''' loads a page with this html, it may log them out of their session on the affected domain.  The browser still makes a request to logout.php in the context of the authenticated session.  More advanced implementations of this include javascripts to fill out forms and perform more complex actions as the user loading the page. This issue also affects many forums where BBCode is enabled and the [IMG]-tag is not filtered correctly, for example:
 +
{{code|text=
 +
<source lang="html4strict">
 +
[IMG]http://domain.tld/logout.php[/IMG]
 +
</source>
 +
}}
 +
This BBCode will be translated to normal HTML and handled like the example before.
  
<syntaxhighlight lang="html">
+
{{info|When mixed with [[XSS]], this attack becomes the much more dangerous [[XSRF]].}}
<img src="http://domain.tld/logout.php">
+
{{exploitation}}
</syntaxhighlight>
+
{{social}}
  
If a user logged into '''domain.tld''' loads a page with this html, it may log them out of their session on the affected domain.  The browser still makes a request to logout.php in the context of the authenticated session.  More advanced implementations of this include javascripts to fill out forms and perform more complex actions as the user loading the page.
+
[[Category:Web exploitation]]
 
+
When mixed with [[XSS]], this attack becomes the much more dangerous [[XSRF]].
+
 
+
{{series
+
| Name = CSRF
+
| PartOf = Web Exploitation
+
}}
+

Latest revision as of 20:13, 12 November 2012

This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.

Cross-Site Referral Forgery

Synopsis

CSRF can occur when a web form or action URL does not properly check its HTTP referrer information to ensure that a browser came from its own site. This can be especially dangerous to users of a site with a form like this. CSRF is likely one of the most prominent vulnerabilities today.

The result of a successful CSRF attack is performing actions in the context of a user's session. If a user is logged into one site, and clicks a link to another, the other site's code may control what the logged-in user does on the original site.

Example

The following html may display a broken image:

 
 <img src="http://domain.tld/logout.php">
 

If a user logged into domain.tld loads a page with this html, it may log them out of their session on the affected domain. The browser still makes a request to logout.php in the context of the authenticated session. More advanced implementations of this include javascripts to fill out forms and perform more complex actions as the user loading the page. This issue also affects many forums where BBCode is enabled and the [IMG]-tag is not filtered correctly, for example:

 
 [IMG]http://domain.tld/logout.php[/IMG]
 

This BBCode will be translated to normal HTML and handled like the example before.

c3el4.png When mixed with XSS, this attack becomes the much more dangerous XSRF.
CSRF is part of a series on exploitation.
<center>
</center>