Thursday, February 12, 2015

CSRF : Cross Site Request Forgery attack

OWASP CSRFTester is a tool for testing CSRF vulnerability in websites. 
Cross Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information 
from or submitting information to a web application for which they are currently authenticated. The 
problem is that the web application has no means of verifying the integrity of the request. 
The OWASP CSRFTester Project attempts to give developers the ability to test their applications for CSRF flaws.
I have not written Coding for solution for this. Will write later, you will get lot of help in google.

Steps to test:
1) Download CSRFTester tool, it is available free in web.
2) Open the CSRFTester run.bat file, it will open a pop-up window. It is running on Port 8008.
3) Open your website link. Go to internet explorer, Connections use proxy for the 127.0.0.1 and port 8008.
4) Copy the website link and paste it to CSRF Window URL text field.
5) Click on "Start Recording" on the tool (CSRFTester).
6) Enter the data in original URL form and click on submit.
7) CSRFTester tool will store all the information related to this request. 
8) Generate the Form HTML report (button is there in CSRF tool window) and save it on desktop.
9) Open that saved html in a new browser. 
10) Edit the fields, change the values.
11) Submit the data.

Ex: 
A (Logged-in User) want to transfer money to B.
C (is the hacker or middleman, transferring money from A to C).
Real User Request URL:    GET http://bank.com/transfer.do?acct=B&amount=100 HTTP/1.1    SUBMIT

The below one is modified link in the saved html (see point 8) above.
Fraud User Request URL:   GET http://bank.com/transfer.do?acct=C&amount=100000  HTTP/1.1    SUBMIT

Txn from A->B is successful (genuine txn)
Txn from A->C is ALSO successful (fraud Txn made by HACKER). Your application should be designed in such a way
that it stops duplicate sending requests and unauthenticated requests.