2009-05-03 00:05:57

Fri, 03 Apr 09 19:19:35 -0600

CSRF, or Cross Site Request Forgery is a simple exploit where an html form is made to automatically make a fraudulent request to another website.

A simple example script:


<form action="http://example.com/users/changepassword.jsp" method="post>

<input type="hidden" name="newpassword" value=[[new password]]">

</form>

<script> document.forms[0].submit();</script>



Simply, this script will automatically make a request to example.com to change some unlucky users password.
Some times, these are placed in advertisements, blogs, comments, or a simple malicious site.

There are many useful ways to protect from this exploit.

The most common is also the most useless.

In the first method, the script checks the referrer to ensure that there is a match, and refuses the action if the referrer is wrong.
Problem is, XSS exploits, advanced browser exploits, or any number of issues can bypass this via XSSRF or a simple AJAX worm.


The next method is a CAPTCHA to check if a user actually performed the action.

This is the most secure method, but also the most irritating. A user should not have to solve a CAPTCHA every time she sends an email.
Not to mention that remote CAPTCHA
automations are still rampant.

Next, a good balance of both, a check token.

The simple concept is to add a hidden input with a randomized value (e.x. sha1(microtime() . rand() . "\x12\0"); or similar).

The action then checks the value against the session stored with the value and submits.

This, however is also vulnerable to XSSRF and Ajax Worms, but not as much as a referrer check.

It should be noted that any script that is important enough to employ any protection should always have frame breaker code.


<script>if (parent.frames.length > 0) { parent.location.href = location.href; }</script>



On to the hidden CSRF point.
Hidden CSRF is where a common CSRF exploit is placed in a hidden frame (opacity:0 or visibility:hidden in CSS). So, a user may enter a page with, say, a funny video, giving the CSRF plenty of time to execute without any sort of warning or hint as to the danger.

Simple solution: frame breaking code.
Use it.