This is part five in a list of articles in which I'm detailing the OWASP Top 10 vulnerabilities. (see intro)
What is Cross-Site Request Forgery? Cross-Site Request Forgery, one-click attack, session riding or XSRF is an attack whereby unauthorised commands are transmitted from a user that exploits the trust that a site has in a user's browser. This is also known as a confused deputy attack against a browser. The "deputy" is the user's Web browser which is confused into misusing a user's authority at an attacker's direction.
Basically, a malicious script executes on a page not related to the actual compromised site and executes a transaction on the attacked site. This could take place on sites with URLs which have side effects. For example, while logged into Facebook, a user browses to a forum with an embedded script. When this script executes, it sends a request to another site to perform some action. This could be anything from changing passwords and details, transferring money, purchasing an item etc. This vulnerability could be executed even if not currently logged into a particular site, by making use of authentication cookies. An example of a possibly vulnerable bank website is one which could execute a similar request without authorisation: http://www.myBank.com?action=transfer,fromAccount=12345,toAccount=09876,amount=$1000
The main points in order for an XSRF attack to occur are:
- The site has a URL that has side effects (e.g. changes passwords or details, transfers money, purchasing an item etc.)
- There are no secret authentication values or ID's that the attacker can't guess.
- The site doesn't check the referrer header.
- The attacker must get a victim to browse to a site with the attack script in order to execute it.
- A web application should check the http referrer header.
- Require secondary authorisation steps which cannot be forged. I've seen in certain banks, that secondary authorisation steps are required in order to transfer money by including a unique ID SMS'ed to the owner. This is because an XSRF attack is blind. That is, once a request has been made, the response is not sent back to the attacker and therefore can't authorise the transaction. Note that it is possible to simulate multiple requests by executing time delayed requests.
- For security sensitive requests, ensure that authentication details are provided within the same http request.
- In URLs that have side effects, ensure that there is a unique user token required.
- Limit the lifetime of session cookies.