Ranked at number eight on the 2013 OWASP Top Ten, Cross-Site Request Forgery (CSRF) remains a major concern. CSRF manipulates a web application vulnerability which allows an attacker to trick the end user into performing unwanted and possibly sensitive actions.
A CSRF attack can occur when an authenticated user moves to a malicious website while still logged into the target web application. Malicious HTTP requests can then be routed to the target site via the victim’s browser. The application will perform the task as requested because it stems from the browser of an authenticated user. Essentially, CSRF is an exploitation of the trust a browser has in an authenticated user. Such an attack is relatively easy to set up and, worryingly, can be difficult to detect. CSRF may be used to steal an authenticated user’s personal details or even perform financial transactions. The recent exposure of a speedily remedied CSRF vulnerability in Twitter was a timely reminder of the continued danger CSRF poses. Twitter joins a high profile list including Gmail, Facebook, Ebay, YouTube, and INGDirect who have all encountered CSRF vulnerabilities in their websites.
A potential CSRF manifestation
There are a number of CSRF prevention techniques in popular usage. One of the most common methods is to implement CSRF tokens with the Synchronizer Token Pattern by appending unpredictable challenge tokens to each request to ensure the validity of the source. The server application must then verify that each sensitive HTTP request contains the correct token. With this defense enabled, a successful attack would require the malicious actor to guess the randomly generated token – a near impossible task. Another prevention method involves validating the HTTP Referer header. In theory, CSRF attacks are prevented by accepting requests from trusted sources only. It goes without saying that this defense can fail if a site processes requests that do not contain a referer header. Also, CSRF attacks that originate from an HTTPS domain will omit the referer. Developers should treat HTTPS requests that attempt a state change as an attack. When implemented correctly, the HTTP referrer defense can effectively guard against CSRF attacks. One final caveat to note is that a referrer check can be bypassed with cross-site scripting.
Persistent CSRF risk
CSRF remains a dangerous and widespread vulnerability. With increased awareness of CSRF, many websites have successfully implemented defense mechanisms, but Twitter’s recent exposure to a subtle CSRF flaw offers a timely reminder of the persistent threat.