A simple example of Cross-site request forgery attack using PHP

Cross-site request forgery (XSRF) is an attack which exploits websites that have weak authorization by taking the advantage of browser session and same-origin policy. To understand clearly about Cross-site request forgery, you can read the wiki page here. This post will demonstrate a simple exploitation using this technique.

In order for the attack to be successful, there must be some requirement:

  • The victim (user) must be logged in and active on the target website
  • The victim is tricked to visit a page created by attacker.

I will setup a basic authentication using session in PHP to demonstrate the vulnerable. You can view a video to have an idea what we are going to do: http://youtu.be/ZwnAPhDQR4E
The target website will have these pages:

  • log in (index.php)
  • content (content.php)
  • log out (logout.php)

User must be logged in in order to access content.php.

The index.php (login):

1 <?php
2 $user_name = “Guest”;
3 session_start();
4
5 if(($_SERVER[‘REQUEST_METHOD’] == ‘POST’) && (isset($_POST[‘username’]))) {
6 if (true) {
7 $_SESSION[‘login’] = 1;
8 $user_name = $_POST[‘username’];
9 }
10 }
11 echo “Welcome $user_name </br>”;
12
13 if (!isset($_SESSION[‘login’])) {
14 ?>
15
16 <html>
17 <head></head>
18 <body>
19 <form method=”post” action=”<?php echo $_SERVER[‘PHP_SELF’]; ?>”>
20 Username:
21 <input type=”text” name=”username”> <br />
22 <input type=”submit” name=”submit” value=”Log In”>
23 </form>
24 </body>
25 </html>
26 <? } else {
27 header(‘location: content.php’);
28 }?>

As you can see, the user just have to put the name in it to log in and the browser will create a session to remember this user. On the content page, we will use these code to check the authentication:

1 <?php
2 session_start();
3 if (isset($_SESSION[‘login’])) {
4 ?>
5 <a href=”logout.php”>Get me out</a><br />
6 <?
7 echo “You are logged in with sid: <br />”.session_id(). “<br />”;
8 ?>
9 <form action=”content.php” method=”GET”>
10 <input type=text name=write />
11 <input type=submit value=’Write this’/>
12 </form>
13 <?
14 if(isset($_GET[‘write’])) {
15 $myFile=”text”;
16 $fh = fopen($myFile, ‘a’) or die(“can’t open file”);
17
18 fwrite($fh, $_GET[‘write’].”\n”);
19 echo $_GET[‘write’].” has been written down on file”;
20 }
21 }
22 else {
23 echo “You are not logged in.<br />”;
24 echo “<a href=index.php>Login</a><br />”;
25 }
26 ?>

We will check the session, if $_SESSION[‘login’] is set then user has been logged in and we will show a greeting message. We also let them use the function to write the content to the ‘text’ file via the GET method. If you are using a linux machine, make sure to set the permission for ‘text’ to 755 🙂

We also create the logout.php as follow which will simply destroy the session and redirect to home page:

1 <?php
2 session_start();
3 session_destroy();
4 header(“location: index.php”);
5 ?>

Now, the attacker will setup a page to exploit this website mal.php. It is very simple:

1 <img src=”content.php?write=owned!”>
2 <img src=”logout.php”>
3 <br />
4 <script> alert(“Go back to your file and see. By the way, you have been logged out :)”); </script>

Now, login to the website, go to content.php. Open another tab and go to mal.php then open the file ‘text’ you will see that the content has been changed although the user didn’t do anything on the website.

The reason for this that in the mal.php, the attacker has sent a request to content.php to write the string ‘owned’ and since the user is still active, the session sent to server is valid and the content.php does not have a good checking, the server accepts the request and executes the request. The same thing for the second request to log out. If you come back to the content.php page and hit refresh or try to write something, you will find that you have to log in again.

Source code: http://www.mediafire.com/?28sn1p8yzpz7bcy
Video demo: http://youtu.be/ZwnAPhDQR4E
Next post about preventing XSRF: http://wp.me/puLa8-49

Advertisements

3 thoughts on “A simple example of Cross-site request forgery attack using PHP

  1. Have you ever thought about creating an ebook or guest authoring on other
    websites? I have a blog centered on the same ideas you discuss and would
    really like to have you share some stories/information.
    I know my visitors would enjoy your work. If you’re even remotely interested, feel free to shoot me an email.

    • Hi,
      Thanks for commenting.
      I am just a beginner to security and still learning. I would love to share what I know. Since the school work are kind of busy, I cannot commit to writing very often. However, feel free to share my posts on your blog if you think it is useful 🙂

      Best,
      Hieu

  2. Excellent goods from you, man. I have understand your stuff previous to and you’re just too fantastic. I really like what you’ve acquired here, certainly like what
    you’re saying and the way in which you say it. You make it entertaining and you still care for to keep it smart. I can’t wait to read much
    more from you. This is really a great web site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s