Skip to main content

CSFR attacks, ASP.NET MVC 4

Image
By

CSRF stands for Cross Site Request Forgery and is a technique employed to fooling a website by executing commands on behalf of a trusted (authenticated) user.

How it works
Commonly a malicious user sends a link to another user that maybe is authenticated on the target site and uses their session to execute commands like transfer money, change the email address and stuff like that.

CSRF in action
This time I’ll be working on a web site that allows authenticated users buy pastries at the online store. In this case, the goal of the attacker is to get a bunch of muffins on somebody else’s Mastercard.

The target site has a couple of web pages that allow users to logon, buy products and see their orders history:


Before going on, something to worth to mention is that after a user is successfully authenticated to a  website, the web browser will be sending the authentication cookie on every subsequent request to the server until the session expire (usually after 20 minutes of inactivity). This means that any incoming request from that session won’t be challenged for authentication (The user will not be redirected to the login page) even if they were accessing to secure resources.

By using a web debugging tool like Fiddler we can inspect the HTTP traffic, view the HTTP headers and understand how it works.


On login:


On every subsequent request after a successful login:


* ASPXAUTH is the ASP.NET authentication cookie.

If an attacker can see the source code of the target page, he can easily compose and submit a form to perform a CSRF attack.

The bad guy at work
Doing a little of social engineering, the bad guy figures it out that the target site is very busy on Friday morning where everybody is buying pastries for the office (which is a common thing to do in my country), so he assumes that by sending emails with links to the website’s hottest offers to a bunch of people, eventually a couple of them will be customers and maybe be interested on those offers, so they will be clicking on those links and if one of them still have the session's cookie alive, he will become a victim of the attack.

How to compose and submit the form
The first step is take a look at the target page source code



Now that we know the form structure, we can build a script like this:


By using this script we are posting an order at the online store using the good guy's session that will be delivered to the bad guy's address (Also note that the form won't be displayed at all).

Wanna try it yourself?
Follow these steps:
  1. Download the sample app from here
  2. Build and run the website
  3. Register/Login
  4. Place an order
  5. View your orders history
So far, you just have used the site. Now click on this link (this is the link that the bad guy will be sending by email)  and you will see what happen. You should see a page with the message "The offer has expired, blah, blah, blah..." and then will be redirected to our website’s main page).

Now go to see your orders history and you will see what really happened ;)

If all went as planned, you should be seeing an order that you haven't posted, where the delivery address point to the bad guy's address, if this were a real site, this would have been aCSRF attack; you will be paying the bills and the bad guy will be getting stuff.

In future posts I’ll be covering some alternatives that ASP.NET provides to prevent this kind of attacks.

Note: this technique does not apply only to ASP.NET, CSRF attacks can be performed against other web technology such as Ruby on Rails or PHP.






Labels:

Comments

  1. Offshore PHP DevelopersDecember 31, 2012 at 9:57 AM

    Your blog is pretty good and has some good articles which I like it especially about design.
    PHP MVC Development | Web Design Company Malaysia

    ReplyDelete

Post a Comment

Popular posts from this blog

How to create MS Word documents from Office templates using C#

By
The OpenXML SDK allows you to do pretty much anything you want with office files such as Excel, Word, etc… While many people like this library, I found it complex, unintuitive and poorly documented, not to mention the awful xml format that uses under the hood to represent the documents, styles, etc. So I decided not to use it and build my own solution. If you, like me, don’t like that library, you will find in this post an alternative approach to build word documents from templates using c#. A neat trick to work with Office is to use the macro recorder to understand how things work. The macro recorder allows you to start a macro, do something by hand, stop it, and then take a look at the generated VBA code. Once you do this, you are pretty much set. This is how it looks the template I’am going to use. Note: save the file as a Word template (.dotx) This is the code to create Word documents from C#: By running the code, you should get a document that looks...
23 comments
Read more

Printing html using the embedded web browser control

By
In this post I’ll try to answer some questions about the web browser control and provide some workarounds for known issues involved in the printing process. I'm assuming that you have some experience with the web browser control and basic knowledge of COM and hosting APIs. So I’m not going to cover those topics. At the bottom of this page I’ve added the links to download a small library I wrote that takes care of printing HTML and a demo app so you can try it out without having to write any code by yourself. Using the code The HtmlPrinter class will allow you to print html from an URL or just passing the html as string, you can also specify the title and the number of copies you want to print. The code may look something like this: Now that we know how to use the API let get answer some questions. Why my app crashes when I try to print multiple copies of a page? Well, apparently when you send a lot of print commands to the web browser control, ther...
21 comments
Read more

Migrating an ASP.NET MVC 4 app from Azure websites to WinHost

By
About a week ago I've to migrate an ASP.NET MVC 4/EF5 application from Azure websites to WinHost. While the process was really smooth, there were some caveats related to database connections that I want to share with you. Create and setup the ftp profile on VS and configure the connection string was really easy, WinHost provide you those values and there is nothing special here. But once you deploy your website and try to see it online, you may get the “yellow screen of dead” with the message: "A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)" Assuming you wrote the connection string properly, this happens because you cannot use the default connection name in your web.c...
2 comments
Read more