CWE-352: Cross-Site Request Forgery (CSRF)

Description

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

When a web server is designed to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

Example Vulnerable Codes

Example - 1

This example PHP code attempts to secure the form submission process by validating that the user submitting the form has a valid session. A CSRF attack would not be prevented by this countermeasure because the attacker forges a request through the user's web browser in which a valid session already exists.

The following HTML is intended to allow a user to update a profile.


<form action="/url/profile.php" method="post"><input type="text" name="firstname"/><input type="text" name="lastname"/><br/><input type="text" name="email"/><input type="submit" name="submit" value="Update"/></form>

profile.php contains the following code.


// //if the session is registered to a valid user then allow update// 

// // Redirect user to login page// 
echo "invalid session detected!";[...]exit;
// // The user session is valid, so process the request// 
// // and update the information// 

// // read in the data from $POST and send an update// 
// // to the database// 
SendUpdateToDatabase($_SESSION['username'], $_POST['email']);[...]echo "Your profile has been successfully updated.";// initiate the session in order to validate sessionssession_start();if (! session_is_registered("username")) {}update_profile();function update_profile {}

This code may look protected since it checks for a valid session. However, CSRF attacks can be staged from virtually any tag or HTML construct, including image tags, links, embed or object tags, or other attributes that load background images.

The attacker can then host code that will silently change the username and email address of any user that visits the page while remaining logged in to the target web application. The code might be an innocent-looking web page such as:



// // send to profile.php// 
form.email = "[email protected]";form.submit();
<SCRIPT>function SendAttack () {}</SCRIPT><BODY onload="javascript:SendAttack();"><form action="http://victim.example.com/profile.php" id="form" method="post"><input type="hidden" name="firstname" value="Funny"><input type="hidden" name="lastname" value="Joke"><br/><input type="hidden" name="email"></form>

Notice how the form contains hidden fields, so when it is loaded into the browser, the user will not notice it. Because SendAttack() is defined in the body's onload attribute, it will be automatically called when the victim loads the web page.

Assuming that the user is already logged in to victim.example.com, profile.php will see that a valid user session has been established, then update the email address to the attacker's own address. At this stage, the user's identity has been compromised, and messages sent through this profile could be sent to the attacker's address.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Go to

Visit http://cwe.mitre.org/ for more details.