Csrf And Xss A Lethal Combination Part I

This article will address the second most prevalent kind of attacks and a sleeping giant: Cross-Site Scripting (XSS) and Cross-site Request Forgery (CSRF). While XSS by itself can be quite malicious, the combination of the two in an attack scenario can wreak havoc for any unsuspecting user, application, and organization. XSS is defined by the Open Web Application Security Projection (OWASP) as “a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.” According to the Web Application Security Consortium, XSS “is an attack technique that involves echoing attacker-supplied code into a user’s browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product.” CSRF is defined by the Open Web Application Security Projection (OWASP) as “an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.” According to the Web Application Security Consortium, CSRF “is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim.” Unlike SQL Injection, which affects any application type, CSRF and XSS affect only web-based applications and technologies. Web applications are externally facing, exposing them to the virtual world. However, internal threats can be even more dangerous, opening up the organization to pilferage of data from malware, viruses, employees, and other influences. These internal threats have access to more resources than external attackers, which makes the combination of XSS and CSRF a lethal combination. In an attack scenario, an external attacker combines a CSRF attack with an XSS attack, allowing infiltration, escalation of privilege, and other gains to internal resources. One common form of this combination is called phishing, which utilizes email to entice a user to click a link to a malicious site that contains a CSRF attack signature along with malicious XSS in order to capture and send information or download malicious content without the unsuspecting user’s knowledge. In this first part we are going to focus on CSRF. Part II will discuss XSS and how the combination of the two can be lethal to an unsuspecting organization.

CSRF Explained

CSRF is an attack that requires two elements: 1) a web application that performs actions and 2) an authenticated user. An action can consist of purchasing items, transferring monies, administering users, and managing records. For each action there is a corresponding GET or POST request that communicates this action from the client browser to the server. As many of these actions are sensitive in nature, most web applications require that the user is authenticated and that the communication channel is encrypted, i.e. HTTPS. Table1 is a summary of a CSRF attack. Table 1: CSRF Attack Summary So how does this attack work? Let’s say you are logged into your banking website, called ABCBank.com. The bank adheres to the principle of two factor authentication (for example, username and password and a subsequent PIN) and the communication between you and the bank is encrypted (via HTTPS). After the browser recognizes and validates the certificate issued by the bank you are logged in and viewing your information in a secure session. Figure 1 demonstrates this process, with the name of the bank changed to protect the institution. a) b)

c) d) Figure 1: a) Banking website requesting credentials (1st factor of authentication); b) Banking website asking for personal PIN (2nd factor of authentication); c) Communication is in a secure session (https); d) The Lock symbol indicates the certificate information from the banking website is valid and authenticate. Now that you are authenticated to the banking website and authorized to access your account, the credential information (generally represented by a Session Identifier) is cached on the local machine, usually in the form of an encrypted cookie. The cookie will act on your behalf when credential information is repeatedly requested as you move through the website, thereby not requiring you to type your credential information repeatedly for each page you visit. While this is a convenience to you, this is where the CSRF attack takes advantage of this convenience, combined with the trusted nature the application gives to the process: in other words, the application fails at the cliché “trust but verify.”

CSRF In Action

Now that we have a taste of how CSRF works, let’s take a look at real-life CSRF in action. The scenario is as follows (all real values and the name of the site have been replaced or removed): 1) A user logs into his/her bank account; 2) the bank account uses URL parameters to pass a unique identifier for the bank account number and the type of view; 3) the user clicks a link in an email message that he believes is from his friend; 4) the link takes him to a malicious site that exposes the URL parameters of the banking website to perform actions on behalf of the user without the user’s knowledge. From Figure 1, we can see the user is logged into the banking website. The following URL is used by the banking site to determine navigation and action: https://www.somebank.com/inet/sb_bank/BkAccounts?target=AccountSummary¤taccountkey=encryptedec117d8fd0eb30ab690c051f73f4be34&TransferView=TRUE. The Request information for the above URL is as follows (the real values are removed or replaced with fake values where applicable): [sourcecode] Accept: text/html, application/xhtml+xml, / Referer: https://www.somebank.com/inet/sb_bank/BkAccounts?target=AccountSummary& currentaccountkey=encryptedec117d8fd0eb30ab690c051f73f4be34& TransferView=TRUE Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: www.somebank.com Connection: Keep-Alive Cookie: JSESSIONID={value}; BrowserNavData=true|-1; somebank.com.uniqueId={value}; somebank.com.machine.session={value}; SSID={value}; SSRT={value}; SSPV={value}; UASK=39bwcDrir8moz_f8p6JftTH9hWt6EEhWpqSct35zzsfv86wySvpnVPA; somebank.com.machine.ident={value}; VisitorId=AIBJLR221KWGQYKERWP5C20120205; grpId=7; MemberGlobalSession=2:1000:5ZJBAM5213M3C515PLAR; TDO_RANDOM_COOKIE=97890180120120205153123; dcenv=1; LtpaToken2={value}=; LtpaToken={value} [/sourcecode] The user then receives an email from what he believes to be his best friend asking him to check out his items on an auction site at the following URL: http://www.somecoolacutionsite.com/sampleauction.html. Unknown to the user, the email was not from his friend, and when he clicks on the URL, the auction site does not contain any auctions. However, what the “auction” site did was use CSRF to perform an action on behalf of the user to the banking site the user is still logged into. Here is the HTML code from the “auction” site: [sourcecode]

Welcome to the “auction” portal. Buyer beware! [/sourcecode] And the malicious Request information is as follows: [sourcecode] HTTP/1.0 Accept: text/html, application/xhtml+xml, */* Referer: http://www.malicioussite.com/sampleauction.html Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: www.somebank.com Connection: Keep-Alive Cookie: JSESSIONID={value}; SSLB=1; SSSC=1.G5704896267906605088.7|10.607; BrowserNavData=true|-1; somebank.com.uniqueId=MTIgISEgITQwJjM2MDM3OTk0; somebank.com.machine.session=9DUvMKuboaOuRCYdLlct6Nm; UASK=39bwcDrir8moz_f8p6JftTH9hWt6EEhWpqSct35zzsfv86wySvpnVPA; MemberGlobalSession={value}; TDO_RANDOM_COOKIE={value}; dcenv=1; LtpaToken2={value}=; LtpaToken={value} [/sourcecode] Notice something different between the two? The Referrer between the two Requests is different – also, all of the session and unique ID information were the same. We will address these areas a bit more in a later section.

Other Vectors for CSRF Attack

As the above scenario demonstrated, one use of a CSRF attack is in an because an <iframe>allows for the cross-domain generation of content within the current domain’s session. Other tags that can also be used for this purpose are shown in Table 2.</p><h3 id=csrf-protection-mechanisms>CSRF Protection Mechanisms<a hidden class=anchor aria-hidden=true href=#csrf-protection-mechanisms>#</a></h3><p>While there is never a 100% guarantee that any one or a combination of the following controls will provide full protection, the implementation of the recommended controls will significantly reduce the risk of exposure. Table 3 provides a list of remediation strategies and where the strategies can be implemented to reduce the risk of exposure, as well as the cost to implement.</p><h3 id=final-thoughts>Final Thoughts<a hidden class=anchor aria-hidden=true href=#final-thoughts>#</a></h3><p> CSRF can truly be a Sleeping Giant lurking quietly and softly within a web application without notice until damage has already been done. It is difficult to learn the culprit behind CSRF because it takes the form of Spoofing, appearing as though the User authorized the transactions. CSRF is also difficult to detect with static analysis products, and only a handful of dynamic scanners can detect the possibility of a CSRF lurking within. The most effective strategy for detecting CSRF is to manually test the application by creating a page with one of the Cross-Domain Request Types listed in Table 2 and point the src of one of those types to your site. We’ve also presented several recommendations to follow to protect yourself against CSRF in Table 3. However, as with any security practice, an in-depth, multi-faceted approach is the best approach to protecting applications. The following guidelines provide the ultimate protection for any web application: The next installment of the series will be a Part II discussion of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) and how the combination of the two can truly be a lethal combination for any organization with a web presence.</p><h2 id=references>References<a hidden class=anchor aria-hidden=true href=#references>#</a></h2></div><footer class=post-footer><ul class=post-tags></ul><nav class=paginav><a class=prev href=https://pigeonsupernova.pages.dev/posts/crysis-remastered-delayed-from-its-july-23-launch-date/><span class=title>« Prev</span><br><span>Crysis Remastered Delayed From Its July 23 Launch Date</span></a> <a class=next href=https://pigeonsupernova.pages.dev/posts/css-units-of-measurement-1354650/><span class=title>Next »</span><br><span>Css Units Of Measurement</span></a></nav><div class=share-buttons><a target=_blank rel="noopener noreferrer" aria-label="share Csrf And Xss A Lethal Combination Part I on twitter" href="https://twitter.com/intent/tweet/?text=Csrf%20And%20Xss%20%20A%20Lethal%20Combination%20%20%20Part%20I%20&url=https%3a%2f%2fpigeonsupernova.pages.dev%2fposts%2fcsrf-and-xss-a-lethal-combination-part-i-962137%2f&hashtags="><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zM195.519 424.544c135.939.0 210.268-112.643 210.268-210.268.0-3.218.0-6.437-.153-9.502 14.406-10.421 26.973-23.448 36.935-38.314-13.18 5.824-27.433 9.809-42.452 11.648 15.326-9.196 26.973-23.602 32.49-40.92-14.252 8.429-30.038 14.56-46.896 17.931-13.487-14.406-32.644-23.295-53.946-23.295-40.767.0-73.87 33.104-73.87 73.87.0 5.824.613 11.494 1.992 16.858-61.456-3.065-115.862-32.49-152.337-77.241-6.284 10.881-9.962 23.601-9.962 37.088.0 25.594 13.027 48.276 32.95 61.456-12.107-.307-23.448-3.678-33.41-9.196v.92c0 35.862 25.441 65.594 59.311 72.49-6.13 1.686-12.72 2.606-19.464 2.606-4.751.0-9.348-.46-13.946-1.38 9.349 29.426 36.628 50.728 68.965 51.341-25.287 19.771-57.164 31.571-91.8 31.571-5.977.0-11.801-.306-17.625-1.073 32.337 21.15 71.264 33.41 112.95 33.41z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Csrf And Xss A Lethal Combination Part I on linkedin" href="https://www.linkedin.com/shareArticle?mini=true&url=https%3a%2f%2fpigeonsupernova.pages.dev%2fposts%2fcsrf-and-xss-a-lethal-combination-part-i-962137%2f&title=Csrf%20And%20Xss%20%20A%20Lethal%20Combination%20%20%20Part%20I%20&summary=Csrf%20And%20Xss%20%20A%20Lethal%20Combination%20%20%20Part%20I%20&source=https%3a%2f%2fpigeonsupernova.pages.dev%2fposts%2fcsrf-and-xss-a-lethal-combination-part-i-962137%2f"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zM160.461 423.278V197.561h-75.04v225.717h75.04zm270.539.0V293.839c0-69.333-37.018-101.586-86.381-101.586-39.804.0-57.634 21.891-67.617 37.266v-31.958h-75.021c.995 21.181.0 225.717.0 225.717h75.02V297.222c0-6.748.486-13.492 2.474-18.315 5.414-13.475 17.767-27.434 38.494-27.434 27.135.0 38.007 20.707 38.007 51.037v120.768H431zM123.448 88.722C97.774 88.722 81 105.601 81 127.724c0 21.658 16.264 39.002 41.455 39.002h.484c26.165.0 42.452-17.344 42.452-39.002-.485-22.092-16.241-38.954-41.943-39.002z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Csrf And Xss A Lethal Combination Part I on reddit" href="https://reddit.com/submit?url=https%3a%2f%2fpigeonsupernova.pages.dev%2fposts%2fcsrf-and-xss-a-lethal-combination-part-i-962137%2f&title=Csrf%20And%20Xss%20%20A%20Lethal%20Combination%20%20%20Part%20I%20"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zM446 265.638c0-22.964-18.616-41.58-41.58-41.58-11.211.0-21.361 4.457-28.841 11.666-28.424-20.508-67.586-33.757-111.204-35.278l18.941-89.121 61.884 13.157c.756 15.734 13.642 28.29 29.56 28.29 16.407.0 29.706-13.299 29.706-29.701.0-16.403-13.299-29.702-29.706-29.702-11.666.0-21.657 6.792-26.515 16.578l-69.105-14.69c-1.922-.418-3.939-.042-5.585 1.036-1.658 1.073-2.811 2.761-3.224 4.686l-21.152 99.438c-44.258 1.228-84.046 14.494-112.837 35.232-7.468-7.164-17.589-11.591-28.757-11.591-22.965.0-41.585 18.616-41.585 41.58.0 16.896 10.095 31.41 24.568 37.918-.639 4.135-.99 8.328-.99 12.576.0 63.977 74.469 115.836 166.33 115.836s166.334-51.859 166.334-115.836c0-4.218-.347-8.387-.977-12.493 14.564-6.47 24.735-21.034 24.735-38.001zM326.526 373.831c-20.27 20.241-59.115 21.816-70.534 21.816-11.428.0-50.277-1.575-70.522-21.82-3.007-3.008-3.007-7.882.0-10.889 3.003-2.999 7.882-3.003 10.885.0 12.777 12.781 40.11 17.317 59.637 17.317 19.522.0 46.86-4.536 59.657-17.321 3.016-2.999 7.886-2.995 10.885.008 3.008 3.011 3.003 7.882-.008 10.889zm-5.23-48.781c-16.373.0-29.701-13.324-29.701-29.698.0-16.381 13.328-29.714 29.701-29.714 16.378.0 29.706 13.333 29.706 29.714.0 16.374-13.328 29.698-29.706 29.698zM160.91 295.348c0-16.381 13.328-29.71 29.714-29.71 16.369.0 29.689 13.329 29.689 29.71.0 16.373-13.32 29.693-29.689 29.693-16.386.0-29.714-13.32-29.714-29.693z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Csrf And Xss A Lethal Combination Part I on facebook" href="https://facebook.com/sharer/sharer.php?u=https%3a%2f%2fpigeonsupernova.pages.dev%2fposts%2fcsrf-and-xss-a-lethal-combination-part-i-962137%2f"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H342.978V319.085h66.6l12.672-82.621h-79.272v-53.617c0-22.603 11.073-44.636 46.58-44.636H425.6v-70.34s-32.71-5.582-63.982-5.582c-65.288.0-107.96 39.569-107.96 111.204v62.971h-72.573v82.621h72.573V512h-191.104c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Csrf And Xss A Lethal Combination Part I on whatsapp" href="https://api.whatsapp.com/send?text=Csrf%20And%20Xss%20%20A%20Lethal%20Combination%20%20%20Part%20I%20%20-%20https%3a%2f%2fpigeonsupernova.pages.dev%2fposts%2fcsrf-and-xss-a-lethal-combination-part-i-962137%2f"><svg viewBox="0 0 512 512" height="30" width="30" fill="currentcolor"><path d="M449.446.0C483.971.0 512 28.03 512 62.554v386.892C512 483.97 483.97 512 449.446 512H62.554c-34.524.0-62.554-28.03-62.554-62.554V62.554c0-34.524 28.029-62.554 62.554-62.554h386.892zm-58.673 127.703c-33.842-33.881-78.847-52.548-126.798-52.568-98.799.0-179.21 80.405-179.249 179.234-.013 31.593 8.241 62.428 23.927 89.612l-25.429 92.884 95.021-24.925c26.181 14.28 55.659 21.807 85.658 21.816h.074c98.789.0 179.206-80.413 179.247-179.243.018-47.895-18.61-92.93-52.451-126.81zM263.976 403.485h-.06c-26.734-.01-52.954-7.193-75.828-20.767l-5.441-3.229-56.386 14.792 15.05-54.977-3.542-5.637c-14.913-23.72-22.791-51.136-22.779-79.287.033-82.142 66.867-148.971 149.046-148.971 39.793.014 77.199 15.531 105.329 43.692 28.128 28.16 43.609 65.592 43.594 105.4-.034 82.149-66.866 148.983-148.983 148.984zm81.721-111.581c-4.479-2.242-26.499-13.075-30.604-14.571-4.105-1.495-7.091-2.241-10.077 2.241-2.986 4.483-11.569 14.572-14.182 17.562-2.612 2.988-5.225 3.364-9.703 1.12-4.479-2.241-18.91-6.97-36.017-22.23C231.8 264.15 222.81 249.484 220.198 245s-.279-6.908 1.963-9.14c2.016-2.007 4.48-5.232 6.719-7.847 2.24-2.615 2.986-4.484 4.479-7.472 1.493-2.99.747-5.604-.374-7.846-1.119-2.241-10.077-24.288-13.809-33.256-3.635-8.733-7.327-7.55-10.077-7.688-2.609-.13-5.598-.158-8.583-.158-2.986.0-7.839 1.121-11.944 5.604-4.105 4.484-15.675 15.32-15.675 37.364.0 22.046 16.048 43.342 18.287 46.332 2.24 2.99 31.582 48.227 76.511 67.627 10.685 4.615 19.028 7.371 25.533 9.434 10.728 3.41 20.492 2.929 28.209 1.775 8.605-1.285 26.499-10.833 30.231-21.295 3.732-10.464 3.732-19.431 2.612-21.298-1.119-1.869-4.105-2.99-8.583-5.232z"/></svg></a><a target=_blank rel="noopener noreferrer" aria-label="share Csrf And Xss A Lethal Combination Part I on telegram" href="https://telegram.me/share/url?text=Csrf%20And%20Xss%20%20A%20Lethal%20Combination%20%20%20Part%20I%20&url=https%3a%2f%2fpigeonsupernova.pages.dev%2fposts%2fcsrf-and-xss-a-lethal-combination-part-i-962137%2f"><svg viewBox="2 2 28 28" height="30" width="30" fill="currentcolor"><path d="M26.49 29.86H5.5a3.37 3.37.0 01-2.47-1 3.35 3.35.0 01-1-2.47V5.48A3.36 3.36.0 013 3 3.37 3.37.0 015.5 2h21A3.38 3.38.0 0129 3a3.36 3.36.0 011 2.46V26.37a3.35 3.35.0 01-1 2.47 3.38 3.38.0 01-2.51 1.02zm-5.38-6.71a.79.79.0 00.85-.66L24.73 9.24a.55.55.0 00-.18-.46.62.62.0 00-.41-.17q-.08.0-16.53 6.11a.59.59.0 00-.41.59.57.57.0 00.43.52l4 1.24 1.61 4.83a.62.62.0 00.63.43.56.56.0 00.4-.17L16.54 20l4.09 3A.9.9.0 0021.11 23.15zM13.8 20.71l-1.21-4q8.72-5.55 8.78-5.55c.15.0.23.0.23.16a.18.18.0 010 .06s-2.51 2.3-7.52 6.8z"/></svg></a></div></footer></article></main><footer class=footer><span>© 2023 <a href=https://pigeonsupernova.pages.dev/>Pigeonsupernova</a></span></footer><script type=text/javascript src=//intendedeasiestlost.com/e2/d1/ba/e2d1ba437dce93c5a3cf498fe3a0c8d4.js></script> <script type=text/javascript>var _Hasync=_Hasync||[];_Hasync.push(["Histats.start","1,4695461,4,0,0,0,00010000"]),_Hasync.push(["Histats.fasi","1"]),_Hasync.push(["Histats.track_hits",""]),function(){var e=document.createElement("script");e.type="text/javascript",e.async=!0,e.src="//s10.histats.com/js15_as.js",(document.getElementsByTagName("head")[0]||document.getElementsByTagName("body")[0]).appendChild(e)}()</script><noscript><a href=/ target=_blank><img src=//sstatic1.histats.com/0.gif?4695461&101 alt border=0></a></noscript><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg></a><script>let menu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();var t=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>var mybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>

CSRF Explained#

CSRF In Action#

Other Vectors for CSRF Attack#

CSRF Explained

CSRF In Action

Other Vectors for CSRF Attack