OWASP quick reference
CSRF:
A program/blog/email performs an unwanted action on a site where the current user is authenticated.
Objectives of CSRF:
Solution:
Include a CSRF token in every form submission
Example:
A user has logged into his bank site. He didnt log out and he clicked some link from another hack site. Because his session is still valid with bank site. the link he clicked in the hack site which mitigated a bank form did a HTTP post to bank site. The fund was transfered.
http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx/
Example for creating your own CSRF token and validating it in Drupal.
In the <form> create a hidden token 'token' whose value is
$formtoken = md5(drupal_get_hash_salt().$nid.$origin.$build_id.$form_name);
and after the submission validate the same in POST call back.
Click Jacking:
Click jacking frames the target website into transparent iframe and forces users to click unwanted link & button by using some css tricks.
Objectives:
1. Force users to post a message in Twitter
2. Force users to click the like button in Facebook
3. Force users to click on malicious AD
4. Download of malware in user computer, spread virus, steal information
A program/blog/email performs an unwanted action on a site where the current user is authenticated.
Objectives of CSRF:
- Transfer money from one bank account to another.
- Use a content management system to add/delete content from a website.
- Change a user’s password.
- Add items to a user’s shopping basket.
- Change the delivery address of an order.
Solution:
Include a CSRF token in every form submission
Example:
A user has logged into his bank site. He didnt log out and he clicked some link from another hack site. Because his session is still valid with bank site. the link he clicked in the hack site which mitigated a bank form did a HTTP post to bank site. The fund was transfered.
http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx/
Example for creating your own CSRF token and validating it in Drupal.
In the <form> create a hidden token 'token' whose value is
$formtoken = md5(drupal_get_hash_salt().$nid.$origin.$build_id.$form_name);
and after the submission validate the same in POST call back.
Click Jacking:
Click jacking frames the target website into transparent iframe and forces users to click unwanted link & button by using some css tricks.
Objectives:
1. Force users to post a message in Twitter
2. Force users to click the like button in Facebook
3. Force users to click on malicious AD
4. Download of malware in user computer, spread virus, steal information
Comments
Post a Comment