Cross-Site Request Forgeries:

1
Cross-Site Request Forgeries Exploitation and
Prevention
William Zeller / Edward W. Felten Princeton
University
Overview
How CSRF Attacks Work
Exploits We Discovered
Client-Side Solution

• Our work
• Demonstrates attacks against four high-profile
  sites
• Provides a browser plugin to protect users
• Provides instructions and sample code showing
  websites and web frameworks how to protect
  themselves

• Large Bank
• Transferring money out of user bank accounts
• Creating checking accounts on behalf of users
• Large Newspaper Site
• Identifying user email addresses for spamming or
  identification
• Large Media Site
• Adding videos to users Favorites
• Adding attacker as users Friend
• Sending arbitrary messages on users behalf
• Automatically shared videos with users contacts,
• Etc, etc.
• Large Community Site
• Taking control of user accounts by
• Changing user email address
• Friending user to determine user name
• Entering user name on Forgot Password page
  which causes a new password of the attackers
  choosing to be created

• Implemented as a plugin for the Firefox web
  browser
• Blocks all cross domain post requests
• Gives users the option of white-listing
• Implements Adobes Cross Domain policy (ie, if
  cross-domain requests work with Flash, theyll
  work with the plugin)
• Could easily be extended to other browsers
• Does not prevent attacks against sites that allow
  GET requests to cause trusted actions to be taken

The Web Browser has established an authenticated
session with Trusted Site. Trusted Action should
only be performed when an authenticated web
browser makes the request.
Introduction to CSRF

• Cross-Site Request Forgeries (CSRF)
• Are a type of Web-based vulnerability
• Occur when a malicious web site causes a users
  browser to perform some action on a trusted site
  (using GET or POST requests)
• Require user to visit attackers site
• Have been called the Sleeping Giant of attacks
• Are easy to prevent once understood
• Are extremely prevalent on the Internet today
• Are not prevented by SSL
• Are possible even when Javascript is turned off
  (if the attacker can use GET requests to cause
  trusted actions to be taken)

Server-Side Solution

• Sets nonce in form field and in cookie
• Only allow POST requests if values match
• Attacker can set form field values, but not
  cookie values
• Recommended for web frameworks (Code Igniter,
  Ruby on Rails, etc)
• Automates CSRF protection
• Removes CSRF protection from responsibility of
  web developer
• Implemented solution for Code Igniter
• Legacy web sites protected without modification
• Appears to be scheduled for inclusion in next
  release

Example of a valid request. The Web Browser
attempts to perform a Trusted Action. The Trusted
Site confirms that the Web Browser is
authenticated and allows the action to be
performed.
Example of a CSRF attack. The Attacking Site
causes the browser to send a request to the
Trusted Site. The Trusted Site sees a valid,
authenticated Web Browser and performs the
Trusted Action.
Names removed while paper is in-submission