Monday, November 28, 2011

CSRF with JSON – leveraging XHR and CORS

Same Origin Policy (SOP) dictates cross domain calls and allows establishment of cross domain connections. SOP bypasses allow CSRF attack vector, an attacker can inject a payload on cross domain page that initiate a request without consent or knowledge of the target user. HTML 5 is having one more policy in place called CORS (Cross Origin Resource Sharing). CORS is a “response blind” technique and controlled by extra added HTTP header “orgin” and their variants but it allows request to hit the target in one way direction. Hence, it is possible to do one-way CSRF. It is possible to initiate CSRF vector using XHR-Level 2 on HTML 5 pages and can prove really lethal attack vector. XHR establishes a stealth connection and remains much hidden, XHR connection can be set using “withCredentials” as true along with POST method. It allows cookie to replay and helps in crafting successful CSRF scenario or session riding. Interestingly HTML 5 along with CORS allows performing file upload CSRF as well. It is possible to craft a JavaScript using XHR and inject JSON payload as cross domain. If server side code on JSON library is not validating the “Content-Type” then it will process the request and allows successful CSRF.
For example,

Here is a script which will do CSRF on cross domain.



Here, we have “Content-Type” as “text-plain” and no new extra header added so CORS will not initiate OPTIONS to check rules on the server side and directly make POST request. At  the same time we have kept credential to “true” so cookie will replay.

On the wire we can see following request.

















As you can see cookie is replayed and JSON POST has been initiated. We get following response back from application.
















Application processed the request and sent JSON back. It is clear case of CSRF. This can be applied to other streams as well.

39 comments:

Gynvael Coldwind said...

Hey,

Cool write-up, I've got worried that this opens a new SOP bypass hole at first read.
But I've done some digging and quite quickly realized that this isn't anything that wasn't already possible to do with standard form+.submit() XSRF exploitation method (with JSON in input's name in this case).
So I guess the good-old XSRF token still saves the day, even in this case.

Cheers :)

shreeraj said...

Yes. It is possible to do with form but you need to hide that "=" at the trailing end or somewhere in between the JSON. It may spoil JSON structure and may no get processed by server.

Gursev Kalra said...

Hi Shreeraj,

Does this look like a one more way to achieve successful CSRF with JSON?
http://gursevkalra.blogspot.com/2011/12/json-csrf-with-parameter-padding.html

Regards

Gynvael Coldwind said...

@Gursev Kalra
"one more way"? Nope, it actually looks like the exact thing I've written about in my previous comment, so that would make it "the old way" :)

Gursev Kalra said...

Gynvael,

So your comment does not talk about how to send a well formed JSON. Sending parameter in the name does leave a trailing '=' sign as Shreeraj indicated.

Gynvael Coldwind said...

@Gursev Kalra
Agreed that it does not say, but it's pretty obvious how to fix the formatting :)
Hence, it's not a "one more way".

Gursev Kalra said...

Gyanvael,

No worries. You win :)

Gynvael Coldwind said...

@Gursev Kalra
That being said... it's cool that you've actually written it down :)

kp said...

Hi,

I need help with writing code for CSRF for the appln using GWT framework.Its returning the content in JSON.So does the similar code given above by shreeraj works?or do v need any other new code.PLEASE help.

Gil Bar-Tur said...
This comment has been removed by the author.
Gil Bar-Tur said...

Tried it now and can seem to get it to work.
this is my code-

function callServer() {
var xmlhttp = new XMLHttpRequest();

xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
document.getElementById('retrievedData').innerHTML = xmlhttp.responseText;
}
}


xmlhttp.open('GET', 'http://localhost:1077/DoSomething.ashx?p=' + Math.random(), true);
xmlhttp.setRequestHeader('Content-Type', 'text/plain').value);
xmlhttp.withCredentials = "true";
xmlhttp.send('hello');
}

can you tell why my csrf attack doesnt work?

Satish Kumar said...

It works fine when we set Content-Type to "text/plain".
But I need set 'Content-Type' to 'application/json'
I just replaced 'text/plain' with 'application/json' and the HTTP method was set to 'OPTIONS' and content-type was not set.

Is there any way to content-type to 'application/json'.

Thanks

prem said...

I think this doesn't work for DELETE method and more over when cookie created with httponly and secure flags set it will not attach those cookies to the request header.

Gopi Krishna said...

AngularJs Training in Chennai

mohd shibli said...

Great tutorial, can you tell how to convert MySQL data into JSON.

Harish said...

Thank you for sharing this useful information.


Angularjs course in Chennai | Angularjs Training institute in Chennai

SRI said...

Really very nice blog information for this one and more technical skills are improve,i like that kind of post.

rpa Training in tambaram

blueprism Training in tambaram

automation anywhere training in tambaram

iot Training in tambaram

rpa training in sholinganallur

blue prism training in sholinganallur

automation anywhere training in sholinganallur

iot training in sholinganallur

nivatha said...

Great content thanks for sharing this informative blog which provided me technical information keep posting.

Data Science Training in Chennai
Data science training in bangalore
Data science online training
Data science training in pune
Data science training in kalyan nagar
selenium training in chennai

simbu said...

Really great post, Thank you for sharing This knowledge.Excellently written article, if only all bloggers offered the same level of content as you, the internet would be a much better place. Please keep it up!
java training in marathahalli | java training in btm layout

java training in jayanagar | java training in electronic city

java training in chennai | java training in USA

selenium training in chennai

john jersy said...

Hello I am so delighted I found your blog, I really found you by mistake, while I was looking on Yahoo for something else, anyways I am here now and would just like to say thanks for a tremendous post. Please do keep up the great work.
python training in tambaram
python training in annanagar
python training in OMR
python training in chennai

Sheela said...

This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 
DevOps online Training|DevOps Training in USA
Devops Training in Chennai
Devops Training in Bangalore

shines rose said...

Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info. I really cannot thank you enough for sharing.
Blueprism training in annanagar

Blueprism training in velachery

Blueprism training in marathahalli

chitra pragya said...

I am definitely enjoying your website. You definitely have some great insight and great stories. 
angularjs

Training in chennai


angularjs-Training in chennai

angularjs Training in chennai

angularjs-Training in tambaram

angularjs-Training in sholinganallur

angularjs-Training in velachery

sumathi s said...

I accept there are numerous more pleasurable open doors ahead for people that took a gander at your site.fire and safety course in chennai

Pankaj Singh said...

Nice Blog, Thank you so much sharing with us. Visit for
Website Development Company in Delhi

Unknown said...

PEP Treatment in delhi thanks for this information

Unknown said...

myTectra a global learning solutions company helps transform people and organization to gain real, lasting benefits.Join Today.Ready to Unlock your Learning Potential !Read More...

sachin.ogeninfo said...

lg fridge repair in gurgaon

Unknown said...

PEP Treatment in delhi nice

Unknown said...

myTectra a global learning solutions company helps transform people and organization to gain real, lasting benefits.Join Today.Ready to Unlock your Learning Potential !Read More...

Vikky cmd said...

I am really happy with your blog because your article is very unique and powerful for new reader.
Click here:
selenium training in chennai
selenium training in bangalore
selenium training in Pune
selenium training in pune
Selenium Online Training


http://sandblogaspnet.blogspot.com/2008/05/implementing-two-interface-having-same.html

Delhi Internet Marketing Agency In Delhi said...


We are happy now to see this post because of the you put good images, good choice of the words. You choose best topic and good information provide. Thanks a sharing nice article.

Website Development Company in Delhi

Amar G said...

Selenium is one of the most popular automated testing tool used to automate various types of applications. Selenium is a package of several testing tools designed in a way for to support and encourage automation testing of functional aspects of web-based applications and a wide range of browsers and platforms and for the same reason, it is referred to as a Suite.

Selenium Interview Questions and Answers
Javascript Interview Questions
Human Resource (HR) Interview Questions

mohit sona said...

appvn apk ios
tutuapp apk ios

Unknown said...

Nice post, keep adding more information to this, thanks for sharing!
DevOps Online Training

Xplore IT Corp said...

Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
Android training in coimbatore
Angular training in coimbatore

Safety Professionals said...

Howdy, would you mind letting me know which web host you’re utilizing? I’ve loaded your blog in 3 completely different web browsers, and I must say this blog loads a lot quicker than most. Can you suggest a good internet hosting provider at a reasonable price?
nebosh course in chennai

Aadhya Sharma said...

That is really very good article, You choose best topic and good information provide. Thanks for sharing.
web development company in noida

Aruna Ram said...

Great idea! Thank you for your wonderful post and very easily understand to me. Really good work please keeping...
Web Designing Training in Bangalore
Web Development Courses in Bangalore
Web Designing Course in Tnagar
Web Designing Training in Saidapet
Web Designing Course in Omr
Web Designing Training in Omr