Saturday, May 18, 2013

CSRF Tool

I facepalm when  I hear about CSRF in popular websites. (I was searching for them in the past but then realized that's a boring waste of time).

A while ago our friend Nir published CSRF changing Facebook password and it was the last straw. I can recall at least 5 major CSRF vulnerabilities in Facebook published in last 6 months. This level of web security is inacceptable nonsense for Facebook.

So, here is a short reminder about mitigation: 
Every state-changing (POST) request must contain a random token. Server-side must check it before processing the request using value stored in received cookies: cookies[:token] == params[:token]. If any POST endpoint lacks it — something is clearly wrong with implementation

For making world a better place I created simple and handy CSRF Tool: homakov.github.io


  1. Copy as Curl from Web Inspector, paste into text field and get a working template in a few clicks:
  2. No hassle. Researchers need a playground to demonstrate CSRF, with CSRF Tool you can simply give a link with working template. 
  3. No disclosure. Fragment (part after #) is not sent on server side, so I am not able to track CSRFs you currently research (Github Pages don't have server side anyway). Link to template contains all information inside.
  4. Auto-submit for more fun, Base64 makes URL longer but hides the template.
  5. Add new fields and modify existing ones, change request method and endpoint path seamlessly. 
  6. Post into iframe (which is carefully sandboxed) or a new window, try Referrer-free submission and so on.
You got a cross site request forgery tool
tell me whatcha gonna do???




Everything is free but donations are welcome :) PayPal: homakov@gmail.com

15 comments:

  1. > so I am not able

    Technically you're able to get it via JS and send somewhere

    ReplyDelete
    Replies
    1. of course, but code is opened and you can see there is no back doors

      Delete
  2. On the other hand, you can fork the code and be in control of the source.

    ReplyDelete
    Replies
    1. there is not much to fork but sure it's just 1 single HTML

      Delete
  3. I also facepalm when I see csrf in websites. I created a similar simple tool and companion scriptlet that allows for scraping forms off of web sites and recreating them simply in the tool.

    https://github.com/akrikos/CSRF-Testing-Tools

    I should really stand these up somewhere so that it's not left as an exercise for the reader.

    ReplyDelete
    Replies
    1. I really like that your tool doesn't require an actual form on the page. Makes it much easier to work with ajax requests.

      Delete
    2. yeah nice. though forms are not suitable for proper CSRF pen test - many requests are sent with pure XHR, you can't catch them

      Delete
    3. lol, u typed same thing before me!

      Delete
    4. Yeah, I created the other tool to allow manual testers to be able to test a mainly form-based application for csrf vulnerabilities. We were trying to retrofit an application with a custom framework to be protected from CSRF attacks.

      Nice work :-)

      Delete
  4. Btw, this is the wrong way to verify the token:

    cookies[:token] == params[:token]

    Classic timing attack error.

    ReplyDelete
    Replies
    1. I hate discussions about timing attacks. Most of them are overestimated. I wrote such script once
      can u make it work https://gist.github.com/homakov/4953145

      Delete
  5. But sometimes not every state-changing call uses a POST method. This applies to popular sites too, which use GET and use the query parameters to change state on the server side.

    ReplyDelete
    Replies
    1. and this is a mistake too. They should use POST or have csrf token in query (OAuth works with state param)

      Delete
  6. What are you thoughts on AJAX-apps and the model of one-unique-token per session essentially (then reusing that token on every form submission)? vs. a different token per request? CSRF token REST-endpoint?

    ReplyDelete