Please Enable referer Headers for This Site and Try Again.
Cross-site request forgery (CSRF)
In this section, we'll explain what cross-site request forgery is, describe some examples of common CSRF vulnerabilities, and explicate how to prevent CSRF attacks.
What is CSRF?
Cantankerous-site asking forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform deportment that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to preclude different websites from interfering with each other.
Labs
If you're already familiar with the bones concepts behind CSRF vulnerabilities and but want to practice exploiting them on some realistic, deliberately vulnerable targets, you lot can admission all of the labs in this topic from the link below.
View all CSRF labs
What is the touch on of a CSRF attack?
In a successful CSRF attack, the assailant causes the victim user to comport out an activity unintentionally. For example, this might be to alter the email accost on their account, to change their password, or to brand a funds transfer. Depending on the nature of the activity, the assaulter might be able to gain full control over the user'due south account. If the compromised user has a privileged role within the awarding, then the attacker might be able to take full control of all the application's information and functionality.
How does CSRF work?
For a CSRF attack to exist possible, three primal weather must be in identify:
- A relevant action. There is an action within the application that the assaulter has a reason to induce. This might exist a privileged action (such as modifying permissions for other users) or whatsoever action on user-specific data (such as changing the user'south own password).
- Cookie-based session handling. Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. In that location is no other mechanism in identify for tracking sessions or validating user requests.
- No unpredictable asking parameters. The requests that perform the action do not contain any parameters whose values the aggressor cannot determine or guess. For example, when causing a user to change their countersign, the function is not vulnerable if an assaulter needs to know the value of the existing password.
For example, suppose an application contains a function that lets the user change the e-mail address on their account. When a user performs this activity, they make an HTTP request like the post-obit:
Postal service /email/alter HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: xxx Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE email=wiener@normal-user.com
This meets the weather required for CSRF:
- The activeness of changing the email address on a user'south account is of interest to an attacker. Following this activity, the attacker will typically be able to trigger a password reset and accept full control of the user's account.
- The application uses a session cookie to identify which user issued the request. There are no other tokens or mechanisms in place to rails user sessions.
- The aggressor tin easily determine the values of the request parameters that are needed to perform the action.
With these atmospheric condition in place, the aggressor can construct a web page containing the following HTML:
<html> <body> <form activeness="https://vulnerable-website.com/electronic mail/alter" method="Postal service"> <input type="hidden" name="email" value="pwned@evil-user.internet" /> </form> <script> document.forms[0].submit(); </script> </body> </html>
If a victim user visits the assaulter's web page, the post-obit will happen:
- The attacker'southward page will trigger an HTTP request to the vulnerable web site.
- If the user is logged in to the vulnerable web site, their browser will automatically include their session cookie in the request (bold SameSite cookies are not existence used).
- The vulnerable web site volition process the request in the normal way, treat information technology as having been fabricated by the victim user, and alter their electronic mail address.
Annotation
Although CSRF is ordinarily described in relation to cookie-based session handling, it also arises in other contexts where the application automatically adds some user credentials to requests, such as HTTP Bones authentication and certificate-based hallmark.
How to construct a CSRF attack
Manually creating the HTML needed for a CSRF exploit can be cumbersome, particularly where the desired request contains a large number of parameters, or in that location are other quirks in the request. The easiest way to construct a CSRF exploit is using the CSRF PoC generator that is built in to Burp Suite Professional:
- Select a request anywhere in Burp Suite Professional person that you want to test or exploit.
- From the right-click context menu, select Appointment tools / Generate CSRF PoC.
- Burp Suite will generate some HTML that will trigger the selected request (minus cookies, which will be added automatically by the victim'south browser).
- You tin can tweak various options in the CSRF PoC generator to fine-tune aspects of the assail. Y'all might need to do this in some unusual situations to deal with quirky features of requests.
- Re-create the generated HTML into a spider web page, view it in a browser that is logged in to the vulnerable web site, and examination whether the intended request is issued successfully and the desired activity occurs.
How to deliver a CSRF exploit
The delivery mechanisms for cross-site asking forgery attacks are substantially the same as for reflected XSS. Typically, the assaulter will place the malicious HTML onto a spider web site that they command, and so induce victims to visit that web site. This might be washed by feeding the user a link to the web site, via an email or social media message. Or if the attack is placed into a popular web site (for instance, in a user annotate), they might only expect for users to visit the web site.
Note that some simple CSRF exploits utilise the GET method and tin can be fully self-contained with a single URL on the vulnerable web site. In this state of affairs, the assailant may non need to apply an external site, and can direct feed victims a malicious URL on the vulnerable domain. In the preceding case, if the asking to modify email address can exist performed with the GET method, then a self-contained attack would look similar this:
<img src="https://vulnerable-website.com/email/alter?email=pwned@evil-user.internet">
Preventing CSRF attacks
The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should exist:
- Unpredictable with high entropy, every bit for session tokens in full general.
- Tied to the user's session.
- Strictly validated in every instance before the relevant action is executed.
An additional defense that is partially constructive against CSRF, and tin be used in conjunction with CSRF tokens, is SameSite cookies.
Common CSRF vulnerabilities
Most interesting CSRF vulnerabilities arise due to mistakes made in the validation of CSRF tokens.
In the previous case, suppose that the application now includes a CSRF token within the request to change the user's email:
Postal service /email/modify HTTP/i.i Host: vulnerable-website.com Content-Type: application/10-world wide web-form-urlencoded Content-Length: 68 Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm csrf=WfF1szMUHhiokx9AHFply5L2xAOfjRkE&e-mail=wiener@normal-user.com
This ought to forbid CSRF attacks because it violates the necessary weather condition for a CSRF vulnerability: the awarding no longer relies solely on cookies for session handling, and the request contains a parameter whose value an attacker cannot make up one's mind. Withal, at that place are diverse ways in which the defense force can exist broken, meaning that the awarding is still vulnerable to CSRF.
Validation of CSRF token depends on request method
Some applications correctly validate the token when the asking uses the Post method but skip the validation when the Become method is used.
In this state of affairs, the attacker can switch to the GET method to bypass the validation and deliver a CSRF attack:
GET /email/change?email=pwned@evil-user.net HTTP/1.1 Host: vulnerable-website.com Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm
Validation of CSRF token depends on token beingness nowadays
Some applications correctly validate the token when it is present simply skip the validation if the token is omitted.
In this situation, the attacker tin can remove the entire parameter containing the token (not just its value) to bypass the validation and deliver a CSRF attack:
Mail /e-mail/change HTTP/1.one Host: vulnerable-website.com Content-Blazon: application/x-www-form-urlencoded Content-Length: 25 Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm e-mail=pwned@evil-user.net
CSRF token is not tied to the user session
Some applications do not validate that the token belongs to the same session as the user who is making the asking. Instead, the awarding maintains a global pool of tokens that it has issued and accepts any token that appears in this puddle.
In this situation, the attacker tin log in to the awarding using their ain account, obtain a valid token, and so feed that token to the victim user in their CSRF attack.
CSRF token is tied to a non-session cookie
In a variation on the preceding vulnerability, some applications do necktie the CSRF token to a cookie, merely not to the same cookie that is used to rails sessions. This tin easily occur when an application employs two different frameworks, one for session handling and one for CSRF protection, which are not integrated together:
POST /email/modify HTTP/1.one Host: vulnerable-website.com Content-Type: awarding/10-www-form-urlencoded Content-Length: 68 Cookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF; csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv csrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&email=wiener@normal-user.com
This situation is harder to exploit but is all the same vulnerable. If the spider web site contains any behavior that allows an assailant to set a cookie in a victim's browser, then an assault is possible. The attacker can log in to the application using their ain account, obtain a valid token and associated cookie, leverage the cookie-setting behavior to identify their cookie into the victim's browser, and feed their token to the victim in their CSRF set on.
Annotation
The cookie-setting behavior does not even need to exist inside the same spider web application as the CSRF vulnerability. Whatever other application within the same overall DNS domain can potentially be leveraged to ready cookies in the application that is being targeted, if the cookie that is controlled has suitable telescopic. For example, a cookie-setting role on staging.demo.normal-website.com
could exist leveraged to place a cookie that is submitted to secure.normal-website.com
.
CSRF token is simply duplicated in a cookie
In a further variation on the preceding vulnerability, some applications do non maintain whatsoever server-side record of tokens that have been issued, but instead indistinguishable each token within a cookie and a asking parameter. When the subsequent request is validated, the application but verifies that the token submitted in the asking parameter matches the value submitted in the cookie. This is sometimes called the "double submit" defense against CSRF, and is advocated considering it is simple to implement and avoids the need for any server-side land:
Postal service /electronic mail/change HTTP/ane.1 Host: vulnerable-website.com Content-Type: awarding/x-www-class-urlencoded Content-Length: 68 Cookie: session=1DQGdzYbOJQzLP7460tfyiv3do7MjyPw; csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&e-mail=wiener@normal-user.com
In this state of affairs, the attacker can again perform a CSRF assault if the web site contains any cookie setting functionality. Hither, the attacker doesn't need to obtain a valid token of their own. They merely invent a token (peradventure in the required format, if that is beingness checked), leverage the cookie-setting behavior to place their cookie into the victim's browser, and feed their token to the victim in their CSRF attack.
Referer-based defenses confronting CSRF
Aside from defenses that apply CSRF tokens, some applications make use of the HTTP Referer
header to endeavor to defend against CSRF attacks, normally by verifying that the request originated from the application'due south own domain. This approach is generally less effective and is often discipline to bypasses.
Referer header
The HTTP Referer header (which is inadvertently misspelled in the HTTP specification) is an optional request header that contains the URL of the web page that linked to the resource that is being requested. Information technology is generally added automatically by browsers when a user triggers an HTTP asking, including by clicking a link or submitting a grade. Various methods be that allow the linking page to withhold or modify the value of the Referer
header. This is often done for privacy reasons.
Some applications validate the Referer
header when it is present in requests only skip the validation if the header is omitted.
In this situation, an attacker can arts and crafts their CSRF exploit in a mode that causes the victim user's browser to drop the Referer
header in the resulting request. There are various ways to achieve this, only the easiest is using a META tag within the HTML page that hosts the CSRF attack:
<meta name="referrer" content="never">
Validation of Referer can be circumvented
Some applications validate the Referer
header in a naive mode that tin can exist bypassed. For example, if the awarding validates that the domain in the Referer
starts with the expected value, then the attacker can place this as a subdomain of their own domain:
http://vulnerable-website.com.attacker-website.com/csrf-attack
Likewise, if the application merely validates that the Referer
contains its own domain name, so the assailant can identify the required value elsewhere in the URL:
http://attacker-website.com/csrf-attack?vulnerable-website.com
Annotation
Although you may exist able to identify this behavior using Burp, yous volition ofttimes find that this approach no longer works when y'all become to exam your proof-of-concept in a browser. In an try to reduce the risk of sensitive data existence leaked in this way, many browsers now strip the query string from the Referer
header by default.
Y'all can override this beliefs by making sure that the response containing your exploit has the Referrer-Policy: dangerous-url
header set (notation that Referrer
is spelled correctly in this case, but to make sure you're paying attending!). This ensures that the full URL volition exist sent, including the query string.
Source: https://portswigger.net/web-security/csrf
0 Response to "Please Enable referer Headers for This Site and Try Again."
Post a Comment