Before going directly into the topic i.e How to hack website using CSRF. Lets see what is CSRF and how it came into existence?
Browser is a software application which locates, retrives and displays content on the World Wide Web. The content includes Web pages, Audio, Video, Images and other files.
Here, Browser is the client which contacts the server and requests for the information. Server then processes the request and sends the response to the client(Browser). Browser displays the response on the computer.
Browser includes the following information before sending request to the server.
- Source IP address, port and proxy
- Destination IP address, port, host and protocol
- Requested URL
- Requested method and content
- User agent
- Referring Page
If a request is sent from the browser in which a user is authenticated to the server, server might check the authentication and IP address. The result will be true, then it processes the request.
Just imagine, what If we can make a someone’s browser to send request to some website without his notice?
This idea is the origin for CSRF attacks.
What is CSRF or XSRF or sea-surf (Cross Site Request Forgery)?
This attack occurs when a Web site, message, blog or anything causes a user’s Web browser to send unauthorized commands(requests) to the site for which the user is currently authenticated. As the request is from a autheticated user the server processes the request.
Limitations of CSRF:-
- Target website should not check refferrer header of the request.
- There must be some forms or URL that has side effects, that do something based on our request.
- The victim should be authenticated in target website in that browser, while this attack occurs in his browser.
- The attacker must determine all the values in the forms; If any of them is required to be secret or authentication values which the attacker cannot guess, the attack will fail.
How to Hack Website using CSRF?
Step 1:- Target a website. Let it be example.com.
Step 2:- Log in to the website in a browser.
Step 3:- Find forms or URL in the website that do something based on the request.
Step 4:- Try to determine every value in the form or URL. If you cannot determine every value in that form, it is not possible to hack.
Step 5:- Create a local file.
Step 6:- Edit the file such that it should look like
<form name=”securefrm” action=”http://www.example.com/transferMoney.asp” method=”post”>
<input type=”hidden” name=”to” value=”Vishnu”>
<input type=”hidden” name=”amount” value=”1000″>
<input type=”hidden” name=”currency” value=”INR”>
<input type=”hidden” name=”secureInput” value=”dsajkfnasdfjnk”>
Step 7:- Open the file in the browser in which you have logged into example.com website.
Step 8:- Open example.com in a new tab. Check whether the request is successful i.e whether the name is changed or the transaction is made.
Step 9:- If the above step is successful then the website(example.com) is vulnerable to CSRF attack else the website is secure against CSRF attack or you might have done something wrong in step 6, Try again.
Step 10:- Embed the code in Mail or your website or message or blog. Share the link to public. That’s it, the users who ever views that page and logged into example.com website
- Before processing the request the origin header and referrer header should be checked
- Authentication should be done again before processing critical operations like money transfers or password change
- CAPTCHA should be added for forms.
- Adding nonce to the form.
- User can’t blame the website because of poor security. User should log out his session after using the website or use separate browsers, one for secure websites and other for malicious websites.