Cross-Site Request Forgery (CSRF)ID: 352 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: compound element | Status: DRAFT |
Abstraction Type: Variant |
Description
The web application does not, or can not, sufficiently verify
whether a well-formed, valid, consistent request was intentionally provided by
the user who submitted the request.
Likelihood of Exploit: Medium to High
Applicable PlatformsLanguage Class: Language-independentTechnology Class: Web-Server
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrityAvailabilityNon-RepudiationAccess_Control | Gain privileges / assume
identityBypass protection
mechanismRead application
dataModify application
dataDoS: crash / exit /
restart | The consequences will vary depending on the nature of the
functionality that is vulnerable to CSRF. An attacker could effectively
perform any operations as the victim. If the victim is an administrator
or privileged user, the consequences may include obtaining complete
control over the web application - deleting or stealing data,
uninstalling the product, or using it to launch other attacks against
all of the product's users. Because the attacker has the identity of the
victim, the scope of CSRF is limited only by the victim's privileges. |
Detection Methods
Name | Description | Effectiveness | Notes |
---|
Manual Analysis | This weakness can be detected using tools and techniques that require
manual (human) analysis, such as penetration testing, threat modeling,
and interactive tools that allow the tester to record and modify an
active session.Specifically, manual analysis can be useful for finding this weakness,
and for minimizing false positives assuming an understanding of business
logic. However, it might not achieve desired code coverage within
limited time constraints. For black-box analysis, if credentials are not
known for privileged accounts, then the most security-critical portions
of the application may not receive sufficient attention.Consider using OWASP CSRFTester to identify potential issues and aid
in manual analysis. | High | |
Automated Static Analysis | CSRF is currently difficult to detect reliably using automated
techniques. This is because each application has its own implicit
security policy that dictates which requests can be influenced by an
outsider and automatically performed on behalf of a user, versus which
requests require strong confidence that the user intends to make the
request. For example, a keyword search of the public portion of a web
site is typically expected to be encoded within a link that can be
launched automatically when the user clicks on the link. | Limited | |
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | Libraries or Frameworks | Use a vetted library or framework that does not allow this weakness to
occur or provides constructs that make this weakness easier to
avoid.For example, use anti-CSRF packages such as the OWASP CSRFGuard.
[R.352.3]Another example is the ESAPI Session Management control, which
includes a component for CSRF. [R.352.9] | | |
Implementation | | Ensure that the application is free of cross-site scripting issues
(CWE-79), because most CSRF defenses can be bypassed using
attacker-controlled script. | | |
Architecture and Design | | Generate a unique nonce for each form, place the nonce into the form,
and verify the nonce upon receipt of the form. Be sure that the nonce is
not predictable (CWE-330). [R.352.5] | | Note that this can be bypassed using XSS (CWE-79). |
Architecture and Design | | Identify especially dangerous operations. When the user performs a
dangerous operation, send a separate confirmation request to ensure that
the user intended to perform that operation. | | Note that this can be bypassed using XSS (CWE-79). |
Architecture and Design | | Use the "double-submitted cookie" method as described by Felten and
Zeller:When a user visits a site, the site should generate a pseudorandom
value and set it as a cookie on the user's machine. The site should
require every form submission to include this value as a form value and
also as a cookie value. When a POST request is sent to the site, the
request should only be considered valid if the form value and the cookie
value are the same.Because of the same-origin policy, an attacker cannot read or modify
the value stored in the cookie. To successfully submit a form on behalf
of the user, the attacker would have to correctly guess the pseudorandom
value. If the pseudorandom value is cryptographically strong, this will
be prohibitively difficult.This technique requires Javascript, so it may not work for browsers
that have Javascript disabled. [R.352.4] | | Note that this can probably be bypassed using XSS (CWE-79), or when
using web technologies that enable the attacker to read raw headers from
HTTP requests. |
Architecture and Design | | Do not use the GET method for any request that triggers a state
change. | | |
Implementation | | Check the HTTP Referer header to see if the request originated from an
expected page. This could break legitimate functionality, because users
or proxies may have disabled sending the Referer for privacy
reasons. | | Note that this can be bypassed using XSS (CWE-79). An attacker could
use XSS to generate a spoofed Referer, or to generate a malicious
request from a page whose Referer would be allowed. |
RelationshipsThis can be resultant from XSS, although XSS is not necessarily
required.
Related CWE | Type | View | Chain |
---|
CWE-352 ChildOf CWE-814 | Category | CWE-809 | |
Demonstrative Examples (Details)
- This example PHP code attempts to secure the form submission process
by validating that the user submitting the form has a valid session. A CSRF
attack would not be prevented by this countermeasure because the attacker
forges a request through the user's web browser in which a valid session
already exists.
Observed Examples
- CVE-2004-1703 : Add user accounts via a URL in an img tag
- CVE-2004-1995 : Add user accounts via a URL in an img tag
- CVE-2004-1967 : Arbitrary code execution by specifying the code in a crafted img tag or URL
- CVE-2004-1842 : Gain administrative privileges via a URL in an img tag
- CVE-2005-1947 : Delete a victim's information via a URL or an img tag
- CVE-2005-2059 : Change another user's settings via a URL or an img tag
- CVE-2005-1674 : Perform actions as administrator via a URL or an img tag
- CVE-2009-3520 : modify password for the administrator
- CVE-2009-3022 : CMS allows modification of configuration via CSRF attack against the administrator
- CVE-2009-3759 : web interface allows password changes or stopping a virtual machine via CSRF
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Cross-Site Request Forgery (CSRF) | |
OWASP Top Ten 2007 | A5 | Cross Site Request Forgery (CSRF) | Exact |
WASC | 9 | Cross-site Request Forgery | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 2: Web-Server Related Vulnerabilities (XSS, XSRF, and
Response Splitting)." Page 37'. Published on 2010.
- Peter W .Cross-Site Request Forgeries (Re: The Dangers of Allowing Users
to Post Images). Bugtraq.
- OWASP .Cross-Site Request Forgery (CSRF) Prevention Cheat
Sheet.
- Edward W. Felten William Zeller .Cross-Site Request Forgeries: Exploitation and
Prevention. 2008-10-18.
- Robert Auger .CSRF - The Cross-Site Request Forgery (CSRF/XSRF)
FAQ.
- .Cross-site request forgery. Wikipedia. 2008-12-22.
- Jason Lam .Top 25 Series - Rank 4 - Cross Site Request
Forgery. SANS Software Security Institute. 2010-03-03.
- Jeff Atwood .Preventing CSRF and XSRF Attacks. 2008-10-14.
- OWASP .OWASP Enterprise Security API (ESAPI) Project.