If a post suddenly appears in your Facebook account that you did not write yourself, or if your firewall or router settings have been changed without your own intervention, then you have probably fallen victim to a so-called cross-site request forgery attack (CSRF attack for short, pronounced seasurf attack). Such attacks have been known for decades and can now be well defended against in their traditional form by various security measures. In 2018, however, a new variant of the attack method has emerged, about which little is known so far. To change that, CISPA researcher Soheil Khodayari has developed JAW, a new analysis tool that can be used to examine websites for their susceptibility to the new type of attack. In addition, Khodayari, who conducts research at CISPA in Giancarlo Pellegrino's group, was able to show in his paper "JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals" that more than three-quarters of the websites he studied had vulnerabilities that enabled the attacks. He presented his work at the prestigious USENIX Security Symposium.
CSRF is a method of attacking websites in which attackers masquerade as trusted users and perform unwanted actions in the web applications of real users. To understand how these attacks work - of which there are several types - it helps to first take a closer look at how "surfing" on the Internet actually works.
The fact that we can move around the digital world so easily today has a lot to do with the development of the World Wide Web, probably the best-known Internet service, in the 1990s. In principle, the WWW includes everything that can be called up using web browsers such as Google Chrome or Mozilla Firefox and makes up only a part of the Internet - but it is often mistakenly equated with it. The Web allows us to exchange digital data worldwide and display text, sound, image and video files of all kinds.
Internet services such as the WWW are based on the so-called client-server model. Whenever data is transferred between two computers on the network, one must provide the services and respond to requests (server), while the other sends the requests and processes the server's responses (client). For example, the client may request the server to send web pages or e-mails. The client and server communicate using the HTTP protocol, which specifies exactly how the client must formulate its request and how the server must respond. Requests from the client to the server are therefore also called HTTP requests.
In traditional CSRF attacks, attackers try to get users' web browsers to execute HTTP requests that they have manipulated and thus perform malicious actions on a website, Khodayari explains. To do this, users must be logged into the attack's target site. A function used by many services for the convenience of users, is in turn also very helpful to the attackers.
If users have logged into a platform such as an online store, they remain logged in for the duration of a session. How long these sessions are depends on the service in question. While banks usually limit their sessions to a few minutes for security reasons, social networks and online stores often allow their visitors to log in for days without having to enter their passwords again. If attackers manage to lure users to a website they control during this time and have them click on a button, for example, this can trigger the sending of a manipulated HTTP request to the web server of the online store and - often unnoticed by the user for a long time - execute unwanted actions. The attackers only need to know how the HTTP request expected by the server should be formulated - which is not too difficult to read. The server does not control where exactly the request comes from.
Translated by Tobias Ebelshäuser