Cross-Site Request Forgery

In this post, I’ll explain a common way the bad guys steal your information. I’ll use the literary technique of schizophrenial-paragraphs to help explain the hacker’s technique.

The techie guys gave it an acronym: CSRF, because that’s one of the things that give them pleasure. All spelled out, CSRF looks like this:

Cross-Site Request Forgery

Myself: Sounds like a big technical mumbo-jumbo thing. Do I really care?

Me: Well, would you normally change the email address of your account to that of a hacker that lives three states over and you’ve never met? Probably not.

Myself: Ok, I’ll take the first bite, but don’t lose me, got it?

Me: Sure, no problem. Bad guys can try to get your information or trick you into doing something you wouldn’t ordinarily do through a CSRF attack. I’ll lay it out so you can see how it works. It’s not that complicated.

Me: Let’s say you open your favorite browser and surf away like you normally do. You find a site that you’ve never been to before, but it looks interesting enough so you sign up for a newsletter. You enter your email address and click the submit button. Wham! You’re done.

Myself: Damn! Done, eh?

Me: Yep. Those little buggers are quick.

Myself: So, what happened?

Me: Ok, let’s replay that attack. You browsed a site you didn’t know, or have reason to trust, for that matter. When you submitted that web form, you didn’t know it was actually posting information to your favorite social media website. This is to say, directly from your browser to the social media site. It wasn’t really adding your email address to their newsletter list as you assumed.

Myself: Well, that’s weird, but so what?

Me: I’ll say this again a different way: instead of posting info from your browser to Site A, it was actually posting info from your browser to Site B, where A is the hacker’s site and B is your trusted social media site.

Myself: Web pages can do that?

Me: Yep, it’s just an HTML <form> tag, you can point them wherever you want.

Myself: Ok, so if this is true, then why isn’t the sky falling right now?

Me: Well, there are ways to help prevent this attack, plus it’s somewhat new in terms of main stream threats, and most importantly, not every hacker in the world is out to get you at this very minute.

Myself: So what did it post to my favorite social media website and why do I care?

Me: Well, it posted your email address.

Myself: Great! I got news for you. My email address is already on my social media website. I don’t think I’ve lost much.

Me: Well, it posted some other stuff too. Actually your current email address isn’t what you think it is.

Myself: Uhmmm, go on.

Me: The hacker took a chance that you might actually be logged into your social media website at the time you submitted the form on his site.

Myself: Is this like the phishing thing I’ve been hearing about?

Me: Kind of, but let’s not muddy the waters by introducing new terms.

Myself: Fair enough, keep going, forget I said anything.

Me: Ok, so you were logged on to your favorite social media website when you submitted this form on the other site. This means that the social media site makes several features available to you like updating your status, posting a photo or interacting with a friend. You can only do that stuff when you’re signed in, right?

Myself: Yep. Got it.

Me: The hacker’s site posted your email address to the CHANGE EMAIL ADDRESS FORM on the social media site. In addition to your email address, he posted his email address as the new email address. When your browser posted that form, you sent the cookies and everything else along for the ride to the social media site. It looked like a totally legit request from the point of view of the social media website. All the form fields lined up and there was no reason to suspect it.

Myself: Well that little piece of..

Me: Hold on, G rated audience here.

Myself: Sorry.

Me: No worries, you’re right to be upset. You see, the social media website should have been anticipating this type of attack.

Myself: Huh, go on.

Me: Well, because this type of attack works in any browser, it’s very likely that it will happen.

Myself: So, how can CSRF attacks be prevented?

Me: Well, one way is with the anti-forgery tokens inside Microsoft ASP.Net MVC.

Myself: One sec, you said you wouldn’t get technical.

Me: I’m not; it’s just a brand name, Microsoft ASP.Net MVC. You like brands don’t you?

Myself: Well, yeah. Sorry.

Me: No problem. Ok, we were going over anti-forgery tokens. Let’s say your cookie contained a long number. Let’s call that number a GUID.

Myself: Oh! Oh! Oh! A GUID is a globally unique identifier, right?

Me: Yes, very good. So the cookie contains a GUID, or a long number, right?

Myself: Yep. GooooooooooID. It’s fun to say.

Me: Focus please.

Myself: Sorry.

Me: Ok, the programmer who built the web form for the social media website’s change email address form could have placed another long number, or GUID, in the web form as a hidden field. The person filling out the form doesn’t need to know about the field, so it’s hidden and sent back to the web server when the form is posted. Just to clarify, the web form consists of all the fields you can see, plus the values in the cookie and the token value inside the hidden field.

Me: When the web server receives a post, it evaluates posted fields and looks for normal problems. Of course it makes sure required fields are populated and stuff like that. The web server also performs a mathematical computation on the two GUIDs that it received. One GUID came from the cookie and the other from the token.

Me: It’s really hard for a hacker to have both numbers. The hacker can’t successfully guess the numbers either. They might as well guess your password. If the numbers don’t jive, then the web server stops processing the request, because it’s probably fraudulent. In the first case where the hacker won, they got you to give up your cookie. However, they wouldn’t be able to post a valid token because that second number changes all the time. Wait, you’re using a complex password right?

Myself: Um, yeah sure.

Me: Ok, we’ll talk about that one next time. For now, it’s just important that you’re aware of where you’re surfing on the net and to think about your actions. It takes everyone to help secure the Internet.

Myself: So, maybe I do need a stronger password, but if I understand you right, you’re saying that developers can help protect the sites they build from this type of shenanigans by using the anti-forgery tokens inside Microsoft ASP.Net MVC right?

Me: Yep. It’s really easy.

Myself: Cool, thanks for explaining how a CSRF attack works and how to prevent them.