A while ago our friend Nir published CSRF changing Facebook password and it was the last straw. I can recall at least 5 major CSRF vulnerabilities in Facebook published in last 6 months. This level of web security is inacceptable nonsense for Facebook.
So, here is a short reminder about mitigation:
Every state-changing (POST) request must contain a random token. Server-side must check it before processing the request using value stored in received cookies: cookies[:token] == params[:token]. If any POST endpoint lacks it — something is clearly wrong with implementation
For making world a better place I created simple and handy CSRF Tool: homakov.github.io
- Copy as Curl from Web Inspector, paste into text field and get a working template in a few clicks:
- No hassle. Researchers need a playground to demonstrate CSRF, with CSRF Tool you can simply give a link with working template.
- No disclosure. Fragment (part after #) is not sent on server side, so I am not able to track CSRFs you currently research (Github Pages don't have server side anyway). Link to template contains all information inside.
- Auto-submit for more fun, Base64 makes URL longer but hides the template.
- Add new fields and modify existing ones, change request method and endpoint path seamlessly.
- Post into iframe (which is carefully sandboxed) or a new window, try Referrer-free submission and so on.
tell me whatcha gonna do???
Everything is free but donations are welcome :) PayPal: homakov@gmail.com
> so I am not able
ReplyDeleteTechnically you're able to get it via JS and send somewhere
of course, but code is opened and you can see there is no back doors
DeleteOn the other hand, you can fork the code and be in control of the source.
ReplyDeletethere is not much to fork but sure it's just 1 single HTML
DeleteI also facepalm when I see csrf in websites. I created a similar simple tool and companion scriptlet that allows for scraping forms off of web sites and recreating them simply in the tool.
ReplyDeletehttps://github.com/akrikos/CSRF-Testing-Tools
I should really stand these up somewhere so that it's not left as an exercise for the reader.
I really like that your tool doesn't require an actual form on the page. Makes it much easier to work with ajax requests.
Deleteyeah nice. though forms are not suitable for proper CSRF pen test - many requests are sent with pure XHR, you can't catch them
Deletelol, u typed same thing before me!
DeleteYeah, I created the other tool to allow manual testers to be able to test a mainly form-based application for csrf vulnerabilities. We were trying to retrofit an application with a custom framework to be protected from CSRF attacks.
DeleteNice work :-)
Btw, this is the wrong way to verify the token:
ReplyDeletecookies[:token] == params[:token]
Classic timing attack error.
I hate discussions about timing attacks. Most of them are overestimated. I wrote such script once
Deletecan u make it work https://gist.github.com/homakov/4953145
But sometimes not every state-changing call uses a POST method. This applies to popular sites too, which use GET and use the query parameters to change state on the server side.
ReplyDeleteand this is a mistake too. They should use POST or have csrf token in query (OAuth works with state param)
DeleteWhat are you thoughts on AJAX-apps and the model of one-unique-token per session essentially (then reusing that token on every form submission)? vs. a different token per request? CSRF token REST-endpoint?
ReplyDeleteone token for a long time is fine
DeleteLooks like the iframe button in the CSRF tool isn't working.
ReplyDeleteuse "submit" button. i will update tool soon
DeleteAwesome :) Thanks! Its a pretty awesome tool, makes it a lot easier to poke at things.
Delete