Skip to main content

CSFR attacks, ASP.NET MVC 4


CSRF stands for Cross Site Request Forgery and is a technique employed to fooling a website by executing commands on behalf of a trusted (authenticated) user.

How it works
Commonly a malicious user sends a link to another user that maybe is authenticated on the target site and uses their session to execute commands like transfer money, change the email address and stuff like that.

CSRF in action
This time I’ll be working on a web site that allows authenticated users buy pastries at the online store. In this case, the goal of the attacker is to get a bunch of muffins on somebody else’s Mastercard.

The target site has a couple of web pages that allow users to logon, buy products and see their orders history:


Before going on, something to worth to mention is that after a user is successfully authenticated to a  website, the web browser will be sending the authentication cookie on every subsequent request to the server until the session expire (usually after 20 minutes of inactivity). This means that any incoming request from that session won’t be challenged for authentication (The user will not be redirected to the login page) even if they were accessing to secure resources.

By using a web debugging tool like Fiddler we can inspect the HTTP traffic, view the HTTP headers and understand how it works.


On login:


On every subsequent request after a successful login:


* ASPXAUTH is the ASP.NET authentication cookie.

If an attacker can see the source code of the target page, he can easily compose and submit a form to perform a CSRF attack.

The bad guy at work
Doing a little of social engineering, the bad guy figures it out that the target site is very busy on Friday morning where everybody is buying pastries for the office (which is a common thing to do in my country), so he assumes that by sending emails with links to the website’s hottest offers to a bunch of people, eventually a couple of them will be customers and maybe be interested on those offers, so they will be clicking on those links and if one of them still have the session's cookie alive, he will become a victim of the attack.

How to compose and submit the form
The first step is take a look at the target page source code



Now that we know the form structure, we can build a script like this:


By using this script we are posting an order at the online store using the good guy's session that will be delivered to the bad guy's address (Also note that the form won't be displayed at all).

Wanna try it yourself?
Follow these steps:
  1. Download the sample app from here
  2. Build and run the website
  3. Register/Login
  4. Place an order
  5. View your orders history
So far, you just have used the site. Now click on this link (this is the link that the bad guy will be sending by email)  and you will see what happen. You should see a page with the message "The offer has expired, blah, blah, blah..." and then will be redirected to our website’s main page).

Now go to see your orders history and you will see what really happened ;)

If all went as planned, you should be seeing an order that you haven't posted, where the delivery address point to the bad guy's address, if this were a real site, this would have been aCSRF attack; you will be paying the bills and the bad guy will be getting stuff.

In future posts I’ll be covering some alternatives that ASP.NET provides to prevent this kind of attacks.

Note: this technique does not apply only to ASP.NET, CSRF attacks can be performed against other web technology such as Ruby on Rails or PHP.






Comments

  1. Your blog is pretty good and has some good articles which I like it especially about design.
    PHP MVC Development | Web Design Company Malaysia

    ReplyDelete

Post a Comment

Popular posts from this blog

Moving to Medium

It's been a long time since I want to give medium a try, and finally, I made some time to do it. To get started on the new platform, I'll be doing series on "Getting programming concepts, languages and tools". If it sounds interesting to you, please take a look at the first post  Getting AWK  and spread the word if you like it. I'm not going to migrate old entries to the new web site. They will remain here safe and sound! As usual, thanks for reading!

Working with unattended reports

In this post I‘ll show you how to create reports that NRapid will execute into an unattended mode. I strongly recommend using this kind of reports in automation scenarios only , and let the user see the print preview dialog in the rest of cases. The only difference between this reports and the standard ones, is that you will cannot make use of dialogs, the runtime will always pass in empty views to the ConfigureReport method. The ConfigureReport method will be executed, but you will have to grab the arguments from somewhere else. The execution pipeline is the same that NRapid uses for standard reports. This is the code to print out the whole list of categories in a dialogless mode. Notice that this report inherits from UnattendedReport class, this class tells to NRapid “run the report unattended”. Also notice that this class comes with a convenience method to configure the report with no arguments. You still can override the one that gets the view data but you will always

How to create MS Word documents from Office templates using C#

The OpenXML SDK allows you to do pretty much anything you want with office files such as Excel, Word, etc… While many people like this library, I found it complex, unintuitive and poorly documented, not to mention the awful xml format that uses under the hood to represent the documents, styles, etc. So I decided not to use it and build my own solution. If you, like me, don’t like that library, you will find in this post an alternative approach to build word documents from templates using c#. A neat trick to work with Office is to use the macro recorder to understand how things work. The macro recorder allows you to start a macro, do something by hand, stop it, and then take a look at the generated VBA code. Once you do this, you are pretty much set. This is how it looks the template I’am going to use. Note: save the file as a Word template (.dotx) This is the code to create Word documents from C#: By running the code, you should get a document that looks