Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/21/2010
02:06 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

CSRF Attacks Get New PoC Creation Tool

Cross site request forgery (CSRF) is a powerful attack that can have devastating consequences. It's not a new attack, but new tools are released every year because Web developers don't always write secure code that can prevent these attacks. Often, CSRF vulnerabilities go undetected because automated scanners have difficulty detecting them.

Cross site request forgery (CSRF) is a powerful attack that can have devastating consequences. It's not a new attack, but new tools are released every year because Web developers don't always write secure code that can prevent these attacks. Often, CSRF vulnerabilities go undetected because automated scanners have difficulty detecting them.OWASP states that the vulnerability is widespread and can affect any Web application that does not check authorization on vulnerable actions, will process an action if a default login can be passed via the Web request, and authorizes requests based only on credentials automatically submitted such as in a single sign-on environment.

Sounds interesting, right? So what can you do with CSRF? There are a slew of different options, and it depends on the vulnerable Web application. For example, I grabbed two wireless routers I had sitting in my office. One was from Netgear and the other from Linksys. A quick test showed both were vulnerable to CSRF, and I could create a Web page that would log me out of both just by opening the page in my browser while logged in. Not particularly exciting, but it gets worse.

In the SANS SEC 560 course, there is an exercise where the students demonstrate CSRF attacks against a fictitious banking site. The attack allows the students to transfer money from victims' accounts into their own. Similar to the router CSRF attack I mentioned above, there have been several proof-of-concepts where researchers have shown how consumer routers could be modified to point to malicious DNS servers in order to redirect valid traffic to the attacker's servers.

A new tool for creating proof-of-concept CSRF attacks was released recently called piñata. It is written in Python and designed to take a HTTP request for the vulnerable Web page and turn it into a HTML file containing the CSRF attack. It works for both GET and POSTs. I tested the tool with several requests against my vulnerable wireless routers by first grabbing the HTTP request via Paros proxy.

The first several test runs through errors that required me to clean up the requests. It seems the piñata was having trouble parsing the User Agent string in my requests. Once I trimmed it to one value, piñata created the appropriate CSRF attack file. I had similar problems with both GETs and POSTs, but was able to get them to work eventually.

The feature I particularly like is the ability to create CSRF attacks against forms that use the POST method. Piñata creates an attack file with JavaScript that automatically submits the form with the appropriate form values...a big time-saver.

If you spend any time penetration testing Web applications or work with your Web developers to ensure their code is secure, then make sure you're testing for CSRF vulnerabilities. Maybe by then some of the bugs in piñata will have been worked out. It's definitely a good start for those not familiar with what it takes to craft a CSRF attack using POSTs and JavaScript.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.