Cross Site Request Forgery

Popularity:

7

Simplicity:

7

Impact:

9

Risk Rating:

8

Cross-site request forgery, or session riding, is an interesting vulnerability that allows an attacker to exploit the fact that a user is already authenticated to a web application, and the attacker can, therefore, trick the user into performing authenticated actions, possibly without the user even knowing.

A great example of this vulnerability is when a user has authenticated to his or her web mail service and an attacker has sent the user an email containing a link that changes the password. This attack does not necessarily rely on the user clicking the link or even seeing the link. If the link is embedded within an IMG tag in an HTML email, then the action will be carried out automatically when the browser attempts to load the image, as shown here:

<img src=http://www.org webmail.com/passwd.php?new=hacked width=0 height=0>

Cross-site request forgery can also be carried out via stored XSS attacks, causing any users visiting the page to have their password changed via the link in the injected IMG tag automatically, which allows the attacker to simply log in to each of the users' accounts with the newly set password. This attack can also be performed using JavaScript, which also allows attacks via the HTTP POST method or AJAX calls.

If web application sessions do not timeout when browsing away from the application, an attacker may be able to lure the user into visiting a malicious website that includes a malicious IMG tag or JavaScript that could immediately take advantage of the still authenticated session.

Cross-site request forgery can have much greater consequences depending upon the value of the web application being attacked. A hacker may be able to force an authenticated Internet banking user into transferring funds from his or her account into the attacker's account without even knowing that it has been done.

This attack assumes that the attacker knows the internal web application URL for the desired action, such as the exact URL to transfer funds from one account to another. If the attacker has his or her own account for the target web application, or is able to download and set up a copy of the web application, then this assumption isn't too difficult to overcome.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment