Skip to main content

CSFR attacks, ASP.NET MVC 4

CSRF stands for Cross Site Request Forgery and is a technique employed to fooling a website by executing commands on behalf of a trusted (authenticated) user.

How it works
Commonly a malicious user sends a link to another user that maybe is authenticated on the target site and uses their session to execute commands like transfer money, change the email address and stuff like that.

CSRF in action
This time I’ll be working on a web site that allows authenticated users buy pastries at the online store. In this case, the goal of the attacker is to get a bunch of muffins on somebody else’s Mastercard.

The target site has a couple of web pages that allow users to logon, buy products and see their orders history:

Before going on, something to worth to mention is that after a user is successfully authenticated to a  website, the web browser will be sending the authentication cookie on every subsequent request to the server until the session expire (usually after 20 minutes of inactivity). This means that any incoming request from that session won’t be challenged for authentication (The user will not be redirected to the login page) even if they were accessing to secure resources.

By using a web debugging tool like Fiddler we can inspect the HTTP traffic, view the HTTP headers and understand how it works.

On login:

On every subsequent request after a successful login:

* ASPXAUTH is the ASP.NET authentication cookie.

If an attacker can see the source code of the target page, he can easily compose and submit a form to perform a CSRF attack.

The bad guy at work
Doing a little of social engineering, the bad guy figures it out that the target site is very busy on Friday morning where everybody is buying pastries for the office (which is a common thing to do in my country), so he assumes that by sending emails with links to the website’s hottest offers to a bunch of people, eventually a couple of them will be customers and maybe be interested on those offers, so they will be clicking on those links and if one of them still have the session's cookie alive, he will become a victim of the attack.

How to compose and submit the form
The first step is take a look at the target page source code

Now that we know the form structure, we can build a script like this:

By using this script we are posting an order at the online store using the good guy's session that will be delivered to the bad guy's address (Also note that the form won't be displayed at all).

Wanna try it yourself?
Follow these steps:
  1. Download the sample app from here
  2. Build and run the website
  3. Register/Login
  4. Place an order
  5. View your orders history
So far, you just have used the site. Now click on this link (this is the link that the bad guy will be sending by email)  and you will see what happen. You should see a page with the message "The offer has expired, blah, blah, blah..." and then will be redirected to our website’s main page).

Now go to see your orders history and you will see what really happened ;)

If all went as planned, you should be seeing an order that you haven't posted, where the delivery address point to the bad guy's address, if this were a real site, this would have been aCSRF attack; you will be paying the bills and the bad guy will be getting stuff.

In future posts I’ll be covering some alternatives that ASP.NET provides to prevent this kind of attacks.

Note: this technique does not apply only to ASP.NET, CSRF attacks can be performed against other web technology such as Ruby on Rails or PHP.


Post a Comment

Popular posts from this blog

Migrating an ASP.NET MVC 4 app from Azure websites to WinHost

About a week ago I've to migrate an ASP.NET MVC 4/EF5 application from Azure websites to WinHost. While the process was really smooth, there were some caveats related to database connections that I want to share with you. Create and setup the ftp profile on VS and configure the connection string was really easy, WinHost provide you those values and there is nothing special here. But once you deploy your website and try to see it online, you may get the “yellow screen of dead” with the message: "A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)" Assuming you wrote the connection string properly, this happens because you cannot use the default connection name in your web.c

How to show excel files inside the .NET Webbrowser Control

If you are reading this, chances are you been banging your head against the wall for a couple of hours (or even days) trying to show excel files inside the WinForms webbrowser control. Possible reasons you ended up in here: You had working code that got broke after upgrading from Win 7. Your code doesn’t work the same way between machines running different (newer) versions of IE. A download box pops up every time your app tries to show an excel file inside the webbrowser control (you wanna show the actual content). You just have no clue on how to get excel working into the .NET embedded webbrowser control. You are trying to implement IInternetSecurityManager and don’t know where to start. (Or how don’t know how to delegate calls to your security manager). Among many other, maybe….. Yes, COM is a PITA, so is ActiveX and IE (Embedded or full for that matter). And no, showing excel files inside the webbrowser control shouldn’t be that hard, but sometimes we have

Moving to Medium

It's been a long time since I want to give medium a try, and finally, I made some time to do it. To get started on the new platform, I'll be doing series on "Getting programming concepts, languages and tools". If it sounds interesting to you, please take a look at the first post  Getting AWK  and spread the word if you like it. I'm not going to migrate old entries to the new web site. They will remain here safe and sound! As usual, thanks for reading!