OWASP Security Shepherd Project - Cross Site Request Forgery Lesson

What is Cross Site Request Forgery Vulnerability/Threat?

    A Cross-Site Request Forgery(CSRF) attack forces a user's browser to send a forged HTTP request with the user's session cookie to an application, tricking the user into unknowingly interacting with an application that they are currently logged into. CSRF attacks are possible when the application does not ensure that a user is in fact interacting with it. The severity of a CSRF attack varies with the functionality of the application the victim is tricked into interacting with. If the attack is aimed at an administrator, the severity will be a lot higher than those aimed at a guest user.
    To prevent CSRF attacks, every request must contain a nonce token (an unpredictable number) to be included with every request. To find CSRF vulnerabilities in applications, we should check the existence of the token. If a request does not contain a nonce at all, then it is likely vulnerable to CSRF attacks. If a request does contain a nonce, then there are more steps to include in testing for CSRF. Even though the nonce is in the request it may not be validated or may work with a null value. It is possible that the application's nonce management will allow an attacker to use their valid nonce in other user requests!
    HTTP requests can be sent using JavaScript. Requests that are sent this way include an "X-Requested-With" HTTP header. If this is checked for on incoming requests, this can serve as CSRF protection without a nonce value. This header cannot be replicated from a remote domain, due to the Same Origin Policy, preventing an attacker from delivering the attack remotely. It is not advised to use this as a sole CSRF protection model, as browser issues are commonly found that allow attackers to send cross-domain requests from a browser.
    CSRF attacks can be performed on GET and POST HTTP requests. To force a victim to seamlessly submit a request in a GET request, the request (highlighted) can be embedded into an image tag on a web page such as follows:
<img src="http://www.secureBank.ie/sendMoney?giveMoneyTo=hacker&giveAmount=1000"/>

To force a victim to send a POST request, it requires a little more effort. The easiest way is to create a form that automatically submits using JavaScript, such as the following example;
<form name="csrfForm" action="http://www.secureBank.ie/sendMoney" method="POST">
<input type="hidden" name="giveMoneyTo" value="hacker" />
<input type="hidden" name="giveAmount" value="1000" />
<input type="submit"/>
</form>
<script>
document.csrfForm.submit();
</script>

Lesson

    In this lesson, we want to force server with root privilege to grant us (userId:155200317) the LessonComplete mark. In addition, the Contact Admin application provide us a way to send administrator message(that accept img url). Thus, let's leverage the <img> example format provided by the lesson to make the message as https://192.168.56.103/root/grantComplete/csrfLesson?userId=149751551 (since the <img> tag is implemented by Contact Admin) to see if we could pass the lesson.


    Fairly easy, we have finished the lesson!