• Home
• Protector
• Portable Penetrator
• Cloud Penetrator
• Penetrator
• Partners

You are here: Resources > IT Security Technical Resources Part4 > CSRF

CSRF

CSRF is known by many other names and monikers: cross-site request forgery, session riding, XSRF, or the one-click attack. This is a kind of dangerous and malicious website exploit that uses and transmits unauthorized commands from a user that is trusted by the site. In contrast to XSS or cross-site scripting (an exploit that takes advantage of a user's trust for a particular website), CSRF instead abuses the trust that the website has given to a particular user, his browser, or his IP address. Essentially, CSRF is the reverse of XSS in terms of "trust" (wherein trust in this context refers to the amount of leeway and access that one gives to another).

This is an old exploit that been used by black hats and crackers everywhere since the nineteen-nineties, so it has been around for quite sometime—arguably since the rise of the Internet's popularity, even. CSRF vulnerabilities are usually done from a trusted user's IP address; ergo, there are times when website logs cannot provide any proof that a CSRF exploit had just taken place exactly whenever such things are carried out using another person's IP address. To wit, these instances are vastly underreported to the public (as of 2007, there are but a scant number of documented CSRF exploits) because of how stealthy this method is by nature.

One example deals with around 18 million eBay users at a Korean auction site who lost their personal details and some such back in February 2008 thanks to this purported session riding hack. Then there's another CSRF occurrence that deals with Mexican bank customers that used an emailed image tag to make the exploit work. To be more specific, the email was a phishing ploy wherein the image tag modified the bank's DNS entry in the victims' ADSL routers to point to a malicious website. At any rate, here are the general traits and characteristics of a typical CSRF exploit.

First off, it more often than not uses a script or a link in a page that has access to a website to which the user is known, trusted, authenticated, and enabled for easy site access. Secondly, it also involves utilizing HTTP requests that can cause crippling side effects to a targeted website, tricking the trusted user's browser into delivering the aforementioned harmful HTTP requests, exploiting a site's trust on the identity of an authenticated user that's authorized free access to the site, and depending on the trusted user's identity to make the XSRF exploit possible in the first place.

The programs that are most vulnerable to this particular exploit are web-based applications that execute functions made by authenticated or trusted users without requiring them to first authorize the action. A cookie-authenticated user can unwittingly send a malicious and website-cracking HTTP request just because he is "trusted" by (i.e., given permission to access) the site without any preliminary requirements to do specific actions that safeguard it from causing unwanted actions, identity theft, and error-causing mayhem.