{"id":38,"date":"2013-02-14T01:45:16","date_gmt":"2013-02-14T01:45:16","guid":{"rendered":"http:\/\/serialsignal.com\/blog\/?p=38"},"modified":"2020-09-29T22:18:54","modified_gmt":"2020-09-29T22:18:54","slug":"csrf","status":"publish","type":"post","link":"https:\/\/serialsignal.com\/blog\/csrf\/","title":{"rendered":"CSRF – Cross Site Request Forgery"},"content":{"rendered":"

There are a few security concepts every developer should understand and be able to implement before they are trusted with sensitive data. Things like SQL injection<\/a>, XSS<\/a>, salting<\/a> and a whole bunch of other things<\/a> can really cause you and your users a lot of trouble.
\nMaybe i’ll write something about those some other time, but for now i’m singling out CSRF which is fairly easy to exploit and can have some pretty fantastic results yet it seems, from my experience anyway, to get less attention than the other attacks I’ve mentioned.<\/p>\n

<\/p>\n

So, what is it?<\/h2>\n

In short, CSRF is when an attacker is able to submit a request from the victim’s browser to a site that they are authenticated with. Wikipedia puts it like this:<\/p>\n

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.<\/p><\/blockquote>\n

For example, if you log in to your banks website and someone tricks you in to clicking a link that looked something like this:<\/p>\n

myfakeinsecurebank.com\/?transfer-to=badguy&amount=200&from=savings<\/tt><\/p>\n

If myfakeinsecurebank.com is careless, and they probably are with a URI like that, then you might have just been duped in to sending badguy $200 dollars!
\nThe website can’t tell if you are responsible for this request, all it knows is that it came from your browser and you are logged in.
\n“Well, you shouldn’t put things you shouldn’t link to in the get string!<\/em>” you might be thinking to yourself and you’d have a point, but that really doesn’t prevent CSRF. The attacker could just make a website (this is where the “Cross Site” part comes from) that sends a post request or even a series of post requests to the target website to do all sorts of things.<\/p>\n

If you are logged in to a site and that site isn’t actively trying to prevent CSRF then the attacker can take advantage of that and submit requests to the site through your browser as if they were you.<\/p>\n

Quick Example<\/h2>\n

Lets see it in action! Here is some pretty insecure\/quick code you might find on a site like myfakeinsecurebank.com:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<\/div><\/td>
<!--<\/span>?php
\nsession_start<\/span><\/a>(<\/span>)<\/span>;<\/span>
\n$namespace<\/span> =<\/span> 'csrftest'<\/span>;<\/span>
\n$username<\/span> =<\/span> 'user'<\/span>;<\/span>
\n$password<\/span> =<\/span> 'pass'<\/span>;<\/span>
\n
\nif<\/span> (<\/span>isset<\/span><\/a>(<\/span>$_POST<\/span>[<\/span>'logout'<\/span>]<\/span>)<\/span> ||<\/span> !<\/span>isset<\/span><\/a>(<\/span>$_SESSION<\/span>[<\/span>$namespace<\/span>]<\/span>)<\/span>)<\/span> {<\/span>
\n    $_SESSION<\/span>[<\/span>$namespace<\/span>]<\/span> =<\/span> array<\/span><\/a>(<\/span>)<\/span>;<\/span>
\n}<\/span>
\n
\nif<\/span> (<\/span>isset<\/span><\/a>(<\/span>$_POST<\/span>[<\/span>'username'<\/span>]<\/span>)<\/span>
\n    &&<\/span> isset<\/span><\/a>(<\/span>$_POST<\/span>[<\/span>'password'<\/span>]<\/span>)<\/span>
\n    &&<\/span> $_POST<\/span>[<\/span>'username'<\/span>]<\/span> ==<\/span> $username<\/span>
\n    &&<\/span> $_POST<\/span>[<\/span>'password'<\/span>]<\/span> ==<\/span> $password<\/span>)<\/span> {<\/span>
\n
\n    \/\/ Loging the user "in" by storing the username<\/span>
\n    $_SESSION<\/span>[<\/span>$namespace<\/span>]<\/span>[<\/span>'username'<\/span>]<\/span> =<\/span> $username<\/span>;<\/span>
\n}<\/span>
\n
\nif<\/span> (<\/span>isset<\/span><\/a>(<\/span>$_SESSION<\/span>[<\/span>$namespace<\/span>]<\/span>[<\/span>'username'<\/span>]<\/span>)<\/span>)<\/span> {<\/span>
\n
\n    if<\/span> (<\/span>isset<\/span><\/a>(<\/span>$_POST<\/span>[<\/span>'name'<\/span>]<\/span>)<\/span>)<\/span> {<\/span>
\n        $_SESSION<\/span>[<\/span>$namespace<\/span>]<\/span>[<\/span>'name'<\/span>]<\/span> =<\/span> $_POST<\/span>[<\/span>'name'<\/span>]<\/span>;<\/span>
\n    }<\/span>
\n
\n    $message<\/span> =<\/span> isset<\/span><\/a>(<\/span>$_SESSION<\/span>[<\/span>$namespace<\/span>]<\/span>[<\/span>'name'<\/span>]<\/span>)<\/span>
\n        ? 'Hello '<\/span> .<\/span> $_SESSION<\/span>[<\/span>$namespace<\/span>]<\/span>[<\/span>'name'<\/span>]<\/span> .<\/span> '!'<\/span>
\n        :<\/span> 'Set your name below!'<\/span>;<\/span>
\n?--><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
1
<\/div><\/td>
<<\/span>code lang=<\/span>"php"<\/span>><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

<\/code><\/p>\n

<\/h1>\n
1
<\/div><\/td>
<<\/span>code lang=<\/span>"php"<\/span>><\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

<\/code><\/p>\n