When the internet user (YOU!) becomes the victim and the accomplice…Cross-Site Request Forgery as high-tech identity theft and misinpersonation
Take a normal Web user who works on the PC who visits sites, buys online, talks online and neglects to erase the cookies tracking the online activity….Mark this as people’s exhibit 1!
The user who visits forums to exchange ideas with others. Forum topics by other users contain text and images…STOP! Images! Mark this as people’s exhibit 2!
Images seem harmless to the eye, but their src attribute can contain whichever resource/site or script snippet the coder wants them to contain…and therefore even a malicious action/request that’s performed against the site – target! Mark this as people’s exhibit 3!
Mix all 3 elements together and you have Cross Site Request Forgery. A misleading act, which involves impersonating another user (the victim) against a site he/she has used, yet for no legitimate use or cause.
And here are the horrifying facts against the 3 elements previously discussed:
- The attacker knows the sites the victim visits, the sites that store cookies for the victim.
- The attacker hopes the target site works on persistent authentication cookies, or the victim has a current session cookie or the victim has neglected to delete/clear his/her cookies when the browser’s session ends or forgot to log off.
- The target site doesn’t perform secondary authentication for advanced transaction, as a precaution to identity theft or misinpersonation.
- The more sites you visit, the more your risk increases.
- The user has no clue as to what’s happening. The user becomes the accomplice. The user becomes the victim.
- That user is you!Me!Everybody surfing oblivious of the dangers, obvious and well hidden that lurk in the universal Internet of 0’s and 1’s.
Perhaps these diagrams can clear things out on how CSRF works
Need more proof? Read on:
http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_6
http://en.wikipedia.org/wiki/Csrf
