Professional Documents
Culture Documents
0x001
0x002
0x003
0x004
0x005
<=
<=
<=
<=
<=
=>
=>
=>
=>
=>
Introduction
How does the CSRF / Small example
Code an application Vulnerable
Avoiding the CSRF
Farewell
======================================
[+] Introduction [+]
Well, in this paper we will talk about what is CSRF / XSRF [Cross Site Request F
orgery].
Try to explain everything possible on this vulnerability and most importantly ..
As prevent
these attacks.
Let's start .. =)
======================================
[+] How does the CSRF [+]
Well, the CSRF the attacker tries to "Forcing" some malicious code exploiting a
meeting
open or not expired for the victim to achieve that the victim do what we want.
[+] Fuller definition (Thanks C1c4Tr1Z): [+]
An attack based on the use of <tags> html performed by a petition HTTP GET direc
t action (eg <img src=http://mail.google.com/mail/?logout&hl=es>) or an indirect
action (eg <img src=http://www.atacante.com/xsrf.html>), using an HTML file pet
itions to conduct POST / GET, without the victim of this attack of its consent o
r approval, as it is an attack which operates silently. This attack can in turn
take advantage of cookies (active or expired) or while performing actions that a
re not used in any type of site.
[+] Small Example [+]
Well, let's say that we are currently logged in a forum .. and a user sends us a
private message telling us something like:
"Hello, that looks good tutorial C + + .. [Click Here <= Maliciosa URL]"
And let's say that when the user click on the link it will lead to a page more o
r less like this:
http://site.com/foro/index.php?action=logout
This would close the user's session .. but what would happen if instead of closi
ng the user's session may change any of its data as email / password ..
======================================
[+] Code an application Vulnerable [+]
This application will be an account .. Say it is a hosting of images called "MyH
osting" ... And if we change our data (Email / password, etc.) .. We have a form
as follows:
/ / Index.php
================================================== ================
<form method="POST" action="datos.php" name="datos">
User <input type="text" name="usuario">
Email <input type="text" name="email">
Password <input type="text" name="contrasea">
Email alternative: <input type="text" name="emailalternativo">
<input type="submit" name="submit" value="cambiardatos">
</ form>
================================================== ================
/ / Index.php End
===========================================
================================================== ================
/ / Datos.php
<?
session_start ();
if (isset ($ _REQUEST [ 'user']))
$ user = $ _REQUEST [ 'user'];
Else
die ( "Fill the field User");
if (isset ($ _REQUEST [ 'email']))
$ email = $ _REQUEST [ 'email];
Else
die ( "Fill in the email field");
if (isset ($ _REQUEST [ 'password']))
$ password = $ _REQUEST [ 'password];
Else
die ( "Fill the Password field");
if (isset ($ _REQUEST [ 'emailalternativo']))
emailalternativo $ = $ _REQUEST [ 'emailalternativo];
Else
die ( "Missing email alternative");
/ / Let's say this function called CambiarDatos
/ / Is the updating of data in our beloved premium account MyHosting
CambiarDatos ($ user, $ email, $ password, $ emailalternativo);
>
================================================== ================
Then, when change our data .. url would have a more or less like this:
http://http://myhosting.com/Datos.php.php?usuario=Tec-n0x&email=mymail & @ gmail
.com
password = mypass123 & emailalternativo = mymail2@gmail.com
So here is the danger ... What if we are currently logged on page .. and a user
sends us a link and we see .. which contains a code like this:
================================================== ================
<html>
<head>
Hi <title> </ title>
</ head>
<body>
<img src="http://http://myhosting.com/Datos.php.php?usuario=Tec-n0x&email=atacke
rmail@gmail.com&contrasea=atackerpassword&emailalternativo=atackermail2@gmail.com
">
</ Body
</ html>
================================================== ================
If the user was logged in Myhosting.com and the victim saw this page .. What? It
would send an HTTP request to MyHosting and change user data ..
===========================================
[+] Avoiding the CSRF [+]
Well, let's use as an example MyHosting ..
We index.php (I have added a field called "actualcontrasea")
================================================== ================
<form method="POST" action="datos.php" name="datos">
User <input type="text" name="usuario">
Email <input type="text" name="email">
Password <input type="text" name="contrasea">
Email alternative: <input type="text" name="emailalternativo">
Actual Password: <input type="text" name="actualcontrasea">
<input type="submit" name="submit" value="cambiardatos">
</ form>
================================================== ================
A file called "config.php" that will connect to the bd:
================================================== ================
<? PHP
$ bd_host = "localhost";
$ bd_usuario = "user";
$ bd_password = "pass";
$ bd_base = "bd";
with $ = mysql_connect ($ bd_host, $ bd_usuario, $ bd_password); mysql_select_db
($ bd_base, with $);
>
================================================== ================
And File datos.php "but .. Amended:
================================================== ================
<?
include ( 'config.php');
session_start ();
if (isset ($ _REQUEST [ 'user']))
$ user = $ _REQUEST [ 'user'];
Else
die ( "Fill the field User");
if (isset ($ _REQUEST [ 'email']))
$ email = $ _REQUEST [ 'email];
Else
die ( "Fill in the email field");
if (isset ($ _REQUEST [ 'password']))
$ password = $ _REQUEST [ 'password];
Else
die ( "Fill the Password field");
if (isset ($ _REQUEST [ 'emailalternativo']))
emailalternativo $ = $ _REQUEST [ 'emailalternativo];
Else
die ( "Missing email alternative");
if (isset ($ _REQUEST [ 'actualcontrasea']))
actualcontrasea $ = $ _REQUEST [ 'actualcontrasea];
Else
die ( "Enter password");
if ($ actualcontrasea == NULL) (
echo "Enter your password Current";
else ()
$ query = mysql_query ( "SELECT user actualcontrasea FROM myhosting_usuarios wher
e username = '$ user'") or die (mysql_error ());
$ data = mysql_fetch_array ($ query);
if ($ data [ 'PASSWORD']! = $ actualcontrasea) (
echo "Actual Inavalida Password";
else ()
CambiarDatos ($ user, $ email, $ password, $ emailalternativo);
>
================================================== ================
What we do in this case would select the BD Since the current password in the ta
ble myhosting_usuarios from the field "PASSWORD" if different .. Do not change t
he data if the password matches .. this operation is performed .. in this case .
$
$
$
$