Cenzic 232 Patent
Paid Advertising
web application security lab

CSRF, Yup, It’s Real Folks

Arian Evans has sent me a few emails on this, so to get him off my back I’m going to do a quick post about CSRF (Cross Site Request Forgeries). Yes, it’s real, it’s used, and it’s far more dangerous than most people give it credit for. First, let’s re-cap the news. A CSRF in Gmail allowed some poor guy’s domain to get hijacked. Not too surprising, knowing how poor Google’s security is. Now, how about this one where a pharming attack was spotted in the wild that leveraged CSRF to take over victims’ routers and send all packets bound for a Mexican banking site instead to the attacker. Zulfikar Ramzan at Symantec fails to mention that much of that concept was based on my original technique which was to for the purpose of “breaking into a router” in his previous post, but alas. I like Zulfikar, so I won’t harp on him too much for missing that one. ;)

I cannot stress more how dangerous CSRF is. “One click attacks” are not even one click in most cases. You can simply visit a web board and instead of seeing an off domain image, you are invisibly having your router get re-routed, your credit card that’s on file with XYZ.com being used for purchases, your user preferences or passwords get changed and so on. I’ve seen a number of examples of CSRF in the wild now beyond this (it’s even been used against me), and I see no reason to believe this attack is going to decrease in likelihood or as a threat in general anytime in the near future. CSRF is here to stay. It’s how the Internet was built and it’s not changing any time in the near future.

9 Responses to “CSRF, Yup, It’s Real Folks”

  1. bob Says:

    I think it is irresponsible for RSnake to hint that Zulfikar Ramzan is academically dishonest or neglectful. Zulfy is one of the best security researchers in the business and it’s wrong to imply that he did not credit someone with an idea, even if done in jest.

    RSnake cites a 200-word blog post as prior work and claims credit for the idea himself. In contrast, Ramzan published a full-length academic paper in a peer-reviewed conference and cites prior work, such as Jeremiah Grossman’s BlackHat presentation in 2006: http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf

    Here’s Bruce Schneier’s praise for the paper:
    http://www.schneier.com/blog/archives/2007/02/driveby_pharmin.html

    For your readers, check out Zulfikar Ramzan is a serious security researcher. He has published in top security venues such as Crypto, FOCS, PKC, and CCC: http://www.informatik.uni-trier.de/~ley/db/indices/a-tree/r/Ramzan:Zulfikar.html

  2. RSnake Says:

    @bob - relax - I was never inferring that he was dishonest. I meant only that he mentioned Jeremiah but Jeremiah’s speech was based on some stuff I did (and Jeremiah referenced me in his speech in regard to this exact topic). It was tongue in cheek poke at Zulfikar (who I know and like, and actually was on a panel with). Hence the winky face. Sheesh! Yes, I agree Zulfikar is a great guy and a hell of a researcher.

    But congrats on completely missing the point of the post! I guess I shouldn’t expect too much from a Google employee in the same post where I’m criticizing your security.

  3. Jon A. Longoria Says:

    @bob

    Calm down, you’ve completely missed the implied elbow-nudge/ giggle-giggle in his post. Don’t be so near-sighted, impropriety in collectively protecting a userbase from cross-site insecurities (we’ll take Google’s case-in-point) is something you should be getting fired up about, instead.

    Additionally, why wouldn’t you address your concerns to him in direct contact before spouting off your rhetoric and propoganda on this weblog? I think YOU are irresponsible for not attempting to convene with the subject of your tiff first - that shows a lack of developed professionalism and/or maturity.

    To publically berade someone without due process only strengthens their position with their constituents, in most cases. That is counter-productive marketing on your part if you’re really attempting to weaken the reputation of a veteran in the webappsec community based on misinterpreted actions. Quit being so silly.

  4. Emma Says:

    I don’t understand - how can you hijack someone’s router and not have them know. I think I’ve completely overshot what CSRF involves besides that it’s dangerous, scary and works.

  5. natron Says:

    @emma:

    CSRF is an attack where someone else makes a request for you, impersonating you to some resource. In the case of a router, someone could make a request to update your firewall rules and use a different DNS server. The router would think the router’s owner had requested the DNS server change, but the router’s owner (you) never knew what happened.

    To directly answer your question, whether or not you notice that your router has been “hijacked” depends largely on a) how attentive you are and b) how good the attacker is at hiding what they’re doing.

  6. Falcon Says:

    What has the world come to! Aren’t you guys sick and tired of hyping micky mouse vulnerabilities?

  7. RSnake Says:

    @Falcon - Case in point. You are exactly the type of person I was referring to in regards to people who fail to give credit to the danger of CSRF. How is taking over people’s routers with an image tag not worth talking about? Other than the fact that it’s simple to do, I see nothing trivial about these sorts of attacks (especially regarding damage potential).

  8. Strace Says:

    I was doing some personal research by examining social network sites that were vulnerable to CSRF. My favorite case was one site (which I will not name because they have not fixed the issue) allowed a user to change their password and contact email address without inputing their current password. So with a single URL you could inadvertently trick them into changing their password to a value you choose, and resetting their primary email to be an arbitrary account. With a few of the tricks on your XSS cheat sheet, and you could send users a “wink” that reset their password and email when viewed. This is archetypal CSRF and its severity is something I evangelize in all my talks.

  9. Jon A. Longoria Says:

    The most simple of attacks in the past have proven to be some with the highest impact because noone took them seriously.