Discovering Modern CSRF Patch Failures

There is plenty of documentation explaining these fundamental concepts more in depth[10], but the focus is on ways to exploit the issues and bypass modern protections against them. See references in the end for further information.

HTTP GET

The GET method in HTTP allows for many options to exploit CSRF vulnerabilities. Here’s an example form to change a user’s password:

<form action=”changepass.php” method=”GET” name=”changepassform”> Username: <input type=”text” value=”” name=”user” />
Password: <input type=”password” value=”” name=”pass” />
<input type=”submit” value=”submit” /></form>

If we make a request for this page attempting to login as the user admin with the password of changeme, the request would be:

GET /changepass.php?user=admin&pass=changeme&submit=submit HTTP/1.1
Cookie: authenticated=yes
Host: victimsite.com

Look at how this request compares to the request for the image seen in the previous section. What happens if html were used as such:

<img src=”http://victimsite.com/changepass.php?user=admin&pass=changeme&submit=submit” />

Once the victim’s browser attempts to grab this resource, they will make the full request with their authentication data, in this example the authenticated cookie. Such behavior allows an attacker to change the victim’s password with an image that will not display (unless src is dynamically switched with a real one).

This attack vector is common in today’s web applications and massive lists of unreported vulnerabilities exist for popular content management systems. This is a perfect opportunity for the beginning bug hunter.

HTTP POST

When CSRF vulnerabilities gained public attention, a lot of people decided that simply changing the form method from GET to POST would secure them against this attack. Of course, this is not true and takes little more effort to exploit CSRF via POST. So, how would an attacker go about exploiting a form using the POST method? Let’s take our example form and use the POST method:

<form action=”changepass.php” method=”POST” name=”changepassform”>
Username: <input type=”text” value=”” name=”user” />
Password: <input type=”password” value=”” name=”pass” />
<input type=”submit” value=”submit” /></form>

<body onload=’document.changepassform.submit();’>

Once the body of the page finishes loading (form is created and accessible) the onload event triggers and submits the document’s (page) form called changepassform. All we need to do is write the values for the user input. Here is how the finished exploit would look like if we wanted to change the password for the user, admin, to changeme.

<html><body onload=’document.changepassform.submit();’>
<form action=”changepass.php” method=”POST” name=”changepassform”>
Username: <input type=”text” value=”admin” name=”user” />
Password: <input type=”password” value=”changeme” name=”pass” />
<input type=”submit” value=”submit” /></form></body></html>

This is usually exploited from another domain, but it is still very possible to exploit the issue locally. A fun trick is to attempt to request the page with GET instead of POST and see if it still executes the action. While the client-side may say POST, the server-side may not care what method is used and let a GET method perform the action. This is caused by $_REQUEST being used and allowing any method of user supplied data to fill the requirement. Let’s take a look at a real vulnerability I found in Kryn CMS:

http://packetstormsecurity.org/files/91307/kryn-xssxsrf.txt

Even if the application enforces POST, we can still abuse other vectors to plant the script into the page and exploit the issue locally. Our friend here will be reflective XSS, but any kind of script injection vulnerability will work.

Security Attempts

There exist a lot of different patch attempts to secure against CSRF vulnerabilities. I personally have seen quiet a few strange patch attempts because the developers did not understand the full depth of attack vectors, such as changing the form method from GET to POST. I’ve seen developers think the only exploitation vector was locally with an image and they would be secure by enforcing extension checking and character restrictions on forum bbcode that allowed the display of images. Even locally the issue still existed and could be exploited as other tags referenced external resources. The remote attack vector also remained completely untouched.

Next, some of the most common protections you will see implemented today will be discussed. These protections are referrer/location checking, captchas (out of the scope of this document), and nonce tokens. We will start with the defense that’s the most straightforward to bypass, referrer checking.

Referrer Checking

The referrer checking security mechanism is for protection from remote attack vectors. The ideais that the request has to come from the same domain that they are attempting the actions on. If it does not, the referrer check will fail and alert the application the request came from outside of a valid domain. To show you a real-world example, let’s take a look at some vulnerabilities I found in Mod-X CMS:

http://packetstormsecurity.org/files/93066/modx-xssxsrf.txt

The referrer protection check seen in Mod-X was:

if (!empty($referer)) { if (!preg_match(‘/^’.preg_quote(MODX_SITE_URL, ‘/’).’/i’, $referer)) {

MODX_SITE_URL is globally defined and you can think of it as the domain that Mod-X is running on. The regex is saying it must start with the defined domain name (victimsite.com) and end
in /. This start and end value checks prevent someone from creating victimsite.comp.attackersite.com to bypass the check. $referer is a variable holding the global php variable $_SERVER[‘HTTP_REFERER’];. Now, if the referrer is not empty and contains the domain name, then the referrer is validated.

This protection can be effective, but definitely not a panacea. Old bugs in places like xmlhttprequest and flash/java allowed you to set the referrer header across origins for the request on behalf of the user[6]. However, these have been taken care of long ago so we will need a more globally acceptable and modern solution. We come back to our old friend XSS.

Through reflective XSS, we have the ability to inject our script into the page. We can use an iframe pointing to XSS that submits the vulnerable form. This type of attack chain can be used to bypass nonce tokens and practically any other form of security surrounding it. Here’s the proof-of-concept exploit abusing the Mod-X vulnerabilities:

<iframe src=”http://victimsite.com/manager/media/ImageEditor/editor.php?img=</title></head><body onload=’document.formcool.submit();’><form name=’formcool’ method=’POST’ action=’http://victimsite.com/manager/index.php?a=34′><input type=’hidden’ name=’id’ value=”><input type=’hidden’ name=’pass1′ value=’admin2′ /><input type=’hidden’ name=’pass2′ value=’admin2′ /><input type=’submit’ name=’save’ value=’Submit+Query’ /></form>” />

The iframe points to an XSS injection found in the img variable of editor.php. It then injects the vulnerable form (password change) and the form submitting javascript into the page. Once the iframe loads, the injection will submit inside of victimsite.com’s origin on behalf of the victim visiting attackersite.com. Because the javascript is submitting from the victimsite.com domain, the referrer checking is bypassed. In this proof of concept, the iframe is not stealthy at all and you would find this hidden if not removed dynamically after success.

Improper Nonce Entropy

Now let’s discuss the most common and known form of defense for CSRF vulnerabilities, nonce tokens. The idea is to use a pseudo-random number used only once, or what’s commonly known as nonce, as a hidden field for the form submission. Some security stipulations are that it’s generated with a secure form of entropy, implemented appropriately, and also validated by the server.

The nonce is then added to a hidden input field for each form that should require a point of validation before action. Once the form is submitted, the server-side language needs to check if the token is correct. If the token is not valid, the request is not processed. Taking our example password change form, let’s add the hidden nonce check:

<form action=”changepass.php” method=”POST” name=”changepassform”>
Username: <input type=”text” value=”” name=”user” />
Password: <input type=”password” value=”” name=”pass” />
<input type=”hidden” value=”3c8376f8198cd374” name=”token” />
<input type=”submit” value=”submit” /></form>

The value for the hidden token field (3c8376f8198cd374) is where the randomly generated nonce will be placed for each user action. However, there isn’t a simple function like token() to generate secure entropy for the nonce. Because there is no standard function to generate this token, there ends up being several different homegrown solutions for creating and managing the tokens.

The starting tactic I use when checking for weak entropy is to generate a massive amount of the tokens quickly and see how random it really is across the large data set. When performing these requests, be careful because you may DoS the server. Additionally, alarms may be triggered that gets your ip blocked. This test is a tradeoff with the time you have and how thorough you want to check this vector. You may want to do quick bursts to different pages with available tokens on a random time limit between minimum and maximum (5-30 seconds). The speed is important to check for weak time- based entropy or possible entropy source saturation issues.

If you notice the randomization starts off great, then gets weaker later on, you may be saturating or have saturated the entropy source. From here you can abuse the entropy source before you attempt to narrow down the victim’s nonce. However, it’s rare to see such a poor implementation or entropy reduction attack. Instead, let’s talk about patterns for weak algorithms.

Check and see if the nonce value is randomized all the time, random for one action, or random per session. I’ve seen implementations where the nonce is generated until used or a hashed session id is used until a new one is generated on next login or timeout period. Then see what the length is and the character set being used. Is it 4 characters long and only using 0-9 for a character set? Are there static characters being used? Maybe only the least or most significant 4 characters of 16 are actually randomized and the rest is based on a unique value, but not by user, where you can request your own token and then bruteforce the 4 missing characters. You may find such algorithms where a token uses date(), hour/minute on time(), and other known and slower changing values. These types of algorithms will allow for a more reliable bruteforce attack against them.

Conducting bruteforce attacks may end up being a bit complicated and/or not very reliable. Your goal is to get the victim to stay on your site for long enough to generate a valid token for the victim. Techniques for keeping the victim on the attacker’s site mostly involve either direct or generic social engineering. Proof of concepts usually involve game sites (page change in the site should not stop the attack) where the victim can play games while being exploited. Porn websites are a common distribution point used often in real-world exploitation. The most effective will be a targeted and specially crafted page after researching wanted victim’s interests (spear phishing).

For interesting techniques, you will want to look into malware distribution groups and data. Drive-by malware need to have exploit packs finish which may require attacks that take a while to work like large heap sprays. They like using movie/music streaming to keep them on the page while the work gets done in the background.

For use until action or per session tokens, you can attempt to bruteforce a token with the given character set. However, there’s a more elegant solution to this and will bypass server-side token attempt limits. The technique involves the token being used with GET so it is passed via url. We can use browser history tricks like the old CSS history hack[3] which only validates client-side and never needs to touch victimsite.com. While these techniques are out of the scope for this document, I have provided a link to a proof of concept of this technique[4]. The more validation turns to accessible client-side storage, like local storage, local sql databases, and etc., the more may be possible without ever having to generate requests to external origin’s. Thanks to HTML5, this is the way the web is moving to offload from remote servers.

With always random, but weak size and character set, your goal is to generate one good token and constantly hit the form with your generated token until successful. The next question becomes how to tell if the attack was successful or not? If we are talking about a simple password change form exploit from a remote php web server, you can use cURL to attempt to login to the account with your defined values. If successful, stop, if not then continue looping around your chunk of script/code. It is suggested to try a large set of bruteforce attempts before checking if login is successful as to lower lockouts, bruteforce alerts, and large amounts of traffic to victimsite.com.

Bruteforcing isn’t the most elegant solution and there’s lots of ways to deny such simple attacks by invalidating the user/session/ip after many failed token validations attempts.

Next, it’s important to discuss weaknesses in the algorithm itself. The code that floats around most sites for secure generation involve base64 encoding an algorithm that uses time() and another value. However, time() in PHP is based on epoch, which is a known value:

“Returns the current time measured in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT). “[2]

This means we can generate our own time() locally and not worry about this piece of entropy. The next step is to take a look at other sources of entropy that may be used in the algorithm. Typically this involves something from the user so the token generated from one user is not the same as another user. Because of this there ends up being lots of room for basic mistakes such as using a statically known value like the username. Perhaps such an algorithm:

$token = base64_encode(time() + $username);

The username is used to exploit the password change example, so this value is also known to us. As we can generate the same time() that the remote server would, we now have both pieces of entropy to generate a valid token for the victim’s action. Attacking over the internet will involve some lag time from the local time() generation than the server’s time(), so a little math, response timestamps, and any further validation may be needed. This could end up taking a few attempts during the victim’s visit. Even with these minor issues it is a much more reliable exploit.
Finally, there may also be issues with the language’s use of certain functions. Some function that may have been a secure form of entropy may no longer be secure. Samy Kamkar discovered this and used the discovery to know supposedly random session values to attack Facebook. He then proceeded to make a humorous blackhat presentation (video and/or presentation) out of it that I highly suggest if you are looking for cryptographic weaknesses[7]. These types of issues exist and are generally very dangerous when discovered, so the issues are reported quiet often. It is best to check/follow the language’s bug tracker to find more relevant cryptographic weaknesses.

Improper Nonce Validation

With the harder way to defeat nonce checking is out of the way, let’s talk about improper validation. This vulnerability exists in a lot of web sites including popular sites. What happens is a secure token will be generated and a good implementation used, but the code never validates the token when the actions are attempted. For the example password change form, let’s change nothing about it and keep the hidden nonce token field. Let’s assume that it uses appropriate entropy and a limit on token failures per session. What happens if we were to submit that form without even including the token value or the entire field? If the password still changes it means that they generate a valid nonce, but they never validate against it for the action.

It seems almost unbelievable this would happen in popular/production sites, but I would like to show an example that my friend M.J. Keith found in Facebook’s implementation[5]. Facebook created their token with the name of post_form_id that allowed different user actions. When this field was simply removed from the request, the action was still performed. This makes all the nonce security pointless.

Script Injection Invalidates Most Security

The final form of attack to discuss is chaining vulnerabilities. You can have the best security against CSRF exploits, but if a javascript injection attack exists in the same origin it invalidates any security. The reason is Javascript has access to all html objects and attributes on the page via the DOM. Let’s take our hidden field nonce token:

<input type=”hidden” value=”3c8376f8198cd374” name=”token” />

Let’s also take a look at our simple javascript form submission line:

<body onload=’document.changepassform.submit();’>

By object names you can select the contents of the nonce token and plant it into the appropriate value for your form. The document.changepassform.token.value element should give you access to this data. If the form name is dynamic or just doesn’t have a name, you can also access the forms by using forms[#] and elements by forms[#].elements[#]. These values start at 0 and will increase for each form seen in the document (page). For example, let’s say our changepass form was the first form on the page. We could create our own form and fill in the token with a token from another form or we can submit a form already on the page by filling in everything other than the token and submitting it. Let’s say an injection was found that allows script insertion after the form. Also, let’s say the target form is the first in the document. If the form is:

<form action=”changepass.php” method=”POST” name=”myform”>
Username: <input type=”text” value=”” name=”user” />
Password: <input type=”password” value=”” name=”pass” />
<input type=”hidden” value=”3c8376f8198cd374” name=”token” />
<input type=”submit” value=”submit” /> </form>