After our article summarizing and describing the 10 most frequent web attacks (as listed in the OWASP TOP 10), we now focus on each of them and explain what was set up within our very high security Cloud, CerberHost, to protect websites against it.

Among these attacks, one is very poorly media-covered and thus not well known: it is the attack by CSRF.

What is a CSRF vulnerability

csrf_logo

It is a flaw that will affect web applications (website, mobile application, etc…) whose functionalities are known (like adding a user account, changing a password, adding files). It is for instance the case of open-source web applications (ex: WordPress) or even services that are open to the public (ex: Facebook, Gmail, etc…)

The attacker will use social engineering to attract a victim who is logged in on the attacked web application, in order to send him to another website.

Let us take the example of a Facebook user. If Facebook had a CSRF vulnerability and a hacker wanted to exploit it, one of the possible scenarios would be as follows:

  • The Facebook user is connected to his account
  • He receives a message offering to discover a photo album where he will have the possibility to download the pictures he likes, for free (social engineering act)
    connexion via compte facebook
  • The user clicks on the link and is redirected to another website where the photos are presented
  • By clicking on the action “download the picture”, he will not only download it, but also allow the pirate to make an action on Facebook, by sending a request to the vulnerable website
  • The result of these actions can “simply” be the post of a message from the Facebook account fo the user, the modification of his password, the creation of a new account, the retrieving of his data, etc… There are plenty of opportunities here and it range from spamming to the complete theft of databases

The attacker’s website often has interactive functions such as forms (ex: connect via Facebook). When the victim validates the form, it triggers the requested download but also the sending of a request to the vulnerable application. For instance, a button allowing to validate the form will actually send the following request:

POST /login/password-change.php HTTP/1.1

Referer: http://myalbumphotos.com/csrf.php

User-Agent: ...

Content-Type: application/x-www-form-urlencoded

Host: monfacebook.fr

Content-Length: 34

Cookie: .ASPXAUTH=98A250...03BB37

password=123456&confirm_password=123456

Here, the attacker managed to change the password of his victim’s account on the vulnerable application. There are many risks here, from the theft and the modification of information to the depositing of files enable then code execution.

For more details on the type of risks linked to avulnerable web application, discover our detailed article here: Cybersecurity, an unknown and underestimated stake.

How to avoid CSRF vulnerabilitiesfaille_csrf_jeton

These vulnerabilities are exploitable because the attacker knows the set of parameters to be included in the requests. The idea, to protect yourself against these attacks, is to make sure the attacker does not know the whole content of the request. It is thus necessary to add a random parameter, like for instance authentication token, which will be contained in every request and whose value is random for each connection.

CerberHost’s answers to CSRF

Before any production launch on our CerberHost infrastructure, a security review is made by our security department experts, in order to notice right away the potential “classic” vulnerabilities on the website. Within this review, if a CSRF vulnerability is found, then concrete advice will be given to set up an adapted protection.

Discover CerberHost

video de présentation de CerberHost

CerberHost protects your website against all Top 10 OWASP attacks, and much more.

To discover CerberHost in pictures, watch its presentation video HERE.

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.