Cross Site Request Forgery ( XSRF / CSRF )
- It is an attack at the end user which forces to executes unwanted action without user's concerns when the user is authenticated.
Example
- In order to make CSRF attack the hacker will study the structure of application and understand it very well, how POST and GET works.
- For e.g. a common GET request for money transfer ( say for e.g. 100 Rs ) looks like below
- GET http://abcbank.com/transfer.do?acct=PersonB&amount;=100 HTTP/1.1
- Once the hacker studies application and understands the request format he/she can modify the link to transfer the money in their own bank account, the modified request may look like below
- GET http://abcbank.com/transfer.do?acct=Hacker&amount;=100 HTTP/1.1
- Thus this malicious url can be encoded into innocent looking hyperlink which looks like below, and can be sent to email.
- <a href="http://abcbank.com/transfer.do?acct=Hacker&amount;=100">Click here</a>
- Thus the above link can be distributed to large number of bank customer by decorating it with html, css or may be by creating interesting ad, etc.
- The one who clicks the link while logged in bank account will unintentionally initiate the transfer of 100 Rs. to hacker
- If bank's website is using only post request, its impossible to place illegal request by <a> anchor tag.
- However the attack can be done using <form> tag by automatic execution of javascript which looks like below
<body onload="document.forms[0].submit()">
<form action="http://abcbank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value="Hacker"/>
<input type="hidden" name="amount" value="100"/>
<input type="submit" value="View my pictures!"/>
</form>
</body>
No comments