Hi, this is Shahid Malla we are getting back you on security today we are going to tell you about CSRF vulnerability in webs which very popular. This vulnerability is very harmful and effective. Usually, this vulnerability exploiting don’t leave any type of evidence. SCRF has known as Cross Site Request Forgery(CSRF)
How SCRF works?
forcing on slave’s browser to run HTTP requests in order to implement a range of actions, for example :
Transfer of funds from the Bank
Disruption of the normal sequence of the site
Some Requirements Of Exploiting CSRF
Actually, In order to cause the slave to perform unwanted actions, he is not aware of, the slave must be logged to the target site with cookies and verified by the browser \ server.
Common uses CSRF attacks.
A common attack is using the image tag (img src) in the HTML document. I mean, in the SRC of the image tag must be inserted malicious link should send HTTP requests to the target, such as a GET request can be excellent. The benefits of using an image tag on the normal link tag (a href) are :
Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request.
Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user’s permissions. This means the user does not need to perform any action in order to see the image on the page, all he has to do is go to a certain site-specific browser sends HTTP requests to have to load the image. In this case, since the browser recognizes the HTML code of the image tag, it sends HTTP requests to load the image even if the SRC of the image is not really a picture, but a malicious link …
For those of you that uses Fire-Bug(Firefox add-on) can see in the next snapshot example of sending an HTTP request from the browser to the server to load an image during the login of the user:
Also, CSRF attacks can be implemented not only through websites but through email messages. Since the mailboxes allow sending data to HTML format, the attached image perfectly legal. In this case, I can send a malicious email message to a huge amount of recipients, put a photo tag email body when the SRC contains a malicious link, when the slave opens the email, the desired action done.Exploiting code examples:
Using img tag:
<img style=”display:none;” src=”http://targetsite.com/change_password.php?new_password=123456″>
Using iframe tag:
using image object.
var poniz = new Image();
test.poniz = “http://targetsite.com/change_password.php?new_password=123456”;
Here a cool example that actually belongs to Black-SEO.
What I want to check in my user control panel is the parameters are sent as a request to the HTTP server when I’m updating my home page via the user control panel.
There are a variety of fields that can be updated, such as an address, phone, email, name, content, and most importantly for this example: The favorite website\home page address.
These parameters are sent to the server when updating my website address. So it seems to Firebug:
These parameters are sent to the server using the POST method. So we do not see the parameters in the URL address. But, if the parameters will be written via getting method, the data will send? Let’s see.
It works! (Actually…in the server-side code(PHP), the variable was in REQUEST method…but it does not matter)
Now … Imagine that Dork like this one:
site:targetsite.com & intext:”Homepage” & intext:”email: “
Now, I’ve got all the emails of users and I can send them an email with the img tag, and when they will open it, their home page\website address
field in their profile will change(To http://www.exploitersite.com)
How to prevent?
Here is few Way to prevent CSRF attacks.
Except from one: Tokens.
The token This is a hidden random ID responsible for sending structured data, such as logging into forms, forms that allow registered users to update data or home page(in our case )
<input type=”hidden” name=”8pssf18ssdmf8s7p80fodi” value=’1′ id=”token” />
Since the tokens are defined, the attacker can not know what is the token of the slave, because every loading of the page the token will change to other random number\string.
Don’t forget to delete your cookies.
Use tokens(Captcha is safer).
When you built your php site, don’t use GET \ REQUEST super-global variables.