technology is here


April 8th, 2012 at 1:00 pm

Cross site Request Forgery attack (CSRF Attack)

CSRF vulnerabilities have been known since 1990 in some cases threaten the exploitation and remain to this day along with the spread of a variety of websites with technologies and features of each.

Cross site Request Forgery (CSRF) is a falsification of the actual request comes from a different website but from the client side does not change the IP address because it was executed by the victim

How CSRF strike their vistims

CSRF diagram

image by:

The attacker sends a link or a page containing a hidden request to the victim (the user) which is then executed by the user link to the target website.

In preparing the attack, the attacker will learn the weaknesses of the target website which can be exploited by CSRF technique

Websites that store cookies so that users can come back to their website and access their pages without any verification username and password again is the target site than this CSRF attacker

The next attacker will also learn whether the site is to check the headers or token contains a unique ID. If security is not done and only by a session or cookies when you login, the CSRF attacks will be easy to succeed

Another exploration could be done by the attacker is to look at what features are provided by the website, may be a form or a button that can submit

The attacker will look at functions, actions such as delete accounts, change passwords, change their preferences, will attract the attention of the attacker to attack the interests of their

If there are parameters that could potentially be used in CSRF attacks the attacker will determine the value of the attack parameters. If there is a hidden input token contains the secret, the attacker will try to find algorithms and find the information of the contents of those fields.

Ready to do after the attack, the attacker will try to pull the victim with a link or page that contains a hidden request.

Tags: cracking, CSRF, hacking, website, website security


RSS feed for comments on this post | TrackBack URI