A brief overview of Cross site request forgery(CSRF) attack

1. Sreejith S
MCA
Amrita School of Engineering
Email: sreejiths.sasikumar@gmail.com

2. Agenda
• Why CSRF is interesting?
• Refresher on HTML forms
• Anatomy of CSRF attack
• Obstacles for attacker
• Existing CSRF defenses

5. Cookie: SessionID=523FA4cd2E

8. Existing CSRF defenses
• Secret Validation token
• We use a validation token to determine whether the request came from
an authorized source.
• Validation token must be hard to guess by the attacker
• If the request is missing a validation token or the token does not match
the expected value the server should reject the request.

9. • Where the Secret validation token fails
• Many websites and CSRF frameworks fail to implement secret token
defense correctly.
• One common mistake is to leak the CSRF token during cross site
request.
• Eg. If the honest site appends the CSRF token to the hyperlinks to
another website then that website gains the ability to forge cross-site
requests against the honest site.

10. • The Referer Header
• When the browser issues an HTTP request, it includes a referer header that
indicates which URL initiated the request.
• This information in the Referer header could be used to distinguish between
same site request and cross site request.
Referer: http://www.facebook.com/
Referer: http://www.attacker.com/evil.html
Referer:


?

11. • Privacy Issues with Referer header
• The referer contains senstive information that impinges on
the privacy
• The referer header reveals contents of the search query that
lead to visit a website.
• Some organizations are concerned that confidential
information about their corporate intranet might leak to
external websites via Referer header

12. • Referer header Implementation
Lenient Referer Validation
• The site blocks request whose referer header has incorrect
value
• If the request lacks the header then the site accepts the
request.
• Disadvantage is that the attacker can cause the web browser
to suppress the referer header.
• Eg. Request issued from ftp and data URLs do not carry
Referer headers.

13. • Referer header Implementation
Strict Referer Validation
• The site blocks the request whose referer header has
incorrect value and also blocks request that lack a referer
header.
• Disadvantage is that some browsers and network
configurations suppress referer header for legitimate
requests.

14. • Custom HTTP Headers
• Browsers prevent sites from sending custom HTTP headers
to another site but allow sites to send custom HTTP headers
to themselves.
• Cookie value is not actually required to prevent CSRF
attacks, the mere presence of the header is sufficient.
• To use this scheme as a CSRF Defense, a site must issue all
state modifying requests using XMLHttpRequest, attach the
header and reject all requests that do not accompany the
header .

15. Thank You 