At SecureState, it’s our job to think and act like malicious hackers, looking for new vulnerabilities to link and exploit so we can better help your organization protect against similar real-world attacks. Lately, our research analysts been taking advantage of a highly effective and often overlooked attack that we think you should know about: targeting authentication forms vulnerable to Cross-Site Request Forgery (CSRF) before the user authenticates.
This is an especially dangerous attack because:
- It enhances the effectiveness of a phishing attack (already the #1 attack vector)
- The user (victim) often doesn’t know they’ve been attacked
- Many organizations are unaware of the potential danger
To help spread awareness, we’ve gathered the following information to explain what this attack is and how to protect against it.
Before we explain how this attack works, let’s begin with a quick review of the CSRF vulnerability.
According to the Open Web Application Security Project (OWASP), “Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.”
As OWASP warns, attackers can exploit CSRF to change a user’s email address or password, make a purchase, or even transfer money, so long as the user is already authenticated to the application.
For example, when you send $100 to a friend through your bank’s website, the website may use something called a GET request to execute the money transfer. You fill out a request listing the amount you’d like to send ($100) and who you would like to send it to (your BFF Barb), and the website turns that into a GET request: GET http://bank.com/transfer.do?acct:BARB&amount=100
If the banking application is vulnerable to CSRF, an attacker can create a forged request to send a different amount of money ($10,000) to a different recipient (the attacker): GET http://bank.com/transfer.do?acct:ATTACKER&amount=10000
The attacker would then embed the forged request in a link and send it to you disguised as something else, say a ticket giveaway for your favorite sports team. If you click on the link while logged into your bank’s website, the forged request is initiated and, bad news, you’re out 10 grand.
CSRF has been included in OWASP’s list of Top 10 Most Critical Web Application Security Risks for several years, and OWASP typically warns against these kinds of attacks where a user is already authenticated to an application.
However, SecureState discovered an additional way CSRF can be exploited, and it’s much easier for attackers to execute and much harder for users to detect.
OWASP warns that attackers exploit CSRF when a user is already authenticated to an application. However, what OWASP doesn’t say is that CSRF can also be exploited before authentication, particularly on authentication forms for common remote access applications like Citrix. SecureState discovered this attack vector and has recently exploited it in several assessments to devastating effect. Here’s how it works:
Let’s say your organization uses a publicly hosted login page for VPN connections to your network. And let’s say this login page is vulnerable to CSRF (because OWASP only warns about CSRF after authentication and your security team or vendor didn’t protect it before authentication as well).
An attacker can then exploit this by creating a forged VPN login page—one that looks exactly like your organization’s actual VPN login page— tricking users to log in to this forged page instead.
To do this, the attacker would first send a phishing email to your employees. For example, the attacker may pose as an IT employee telling everyone that the VPN was successfully upgraded and asking them to test the new implementation right away so IT can address any issues.
If an employee clicks on the link in the phishing email, they are taken to the forged login page. When they enter their username and password in the fake page, the attacker captures their credentials but also, thanks to the CSRF vulnerability, logs them into the VPN at the same time. For the employee, it looks as though nothing out of the ordinary has occurred; they think they’ve logged in as usual. But in reality, the attacker has captured their valid user credentials without raising anyone’s suspicions.
This isn’t a theoretical vulnerability. SecureState has already demonstrated this attack can be effective. In several assessments, our analysts have successfully captured user credentials and compromised an organization’s network by linking CSRF and phishing in this way. Moreover, the credentials captured during this type of attack have remained valid for the entire assessment. If SecureState can do it, real-world malicious attackers can too.
How this attack is unique
Attackers often create fake login pages to capture user credentials. It’s a very common phishing technique. However, in most circumstances, when a user attempts to authenticate to a forged login page, they will get an error message. This is because the fake page does not actually log them in, it just sends the user credentials to the attacker. At this point the user often gets suspicious, and may report the incident to IT or security personnel. If they do, IT will typically have the user change their password right away. This gives an attacker only a brief window to use the credentials before they are expired. And it will also put the security team on alert, making further attacks more difficult.
What’s unique about using CSRF to capture user credentials is that the fake login page actually works! An attacker can design their forged login page to send the login request to the real login page. And because that page is vulnerable to CSRF and does not properly validate the origin of requests, it will initiate the request and log the user in correctly. As a result, the user isn’t alerted to any suspicious activity and neither is the organization’s security team. The captured credentials will be valid for a longer period of time and an attacker can successfully authenticate to the network without drawing attention.
It’s almost as if an attacker was somehow able to make a copy of your house key when you unlocked your front door. The attacker would now have access to your house, but since you got inside without noticing any trouble, you wouldn’t think anything was wrong. Then the attacker could enter your house and steal things anytime without the evidence of a normal breaking and entering (no broken windows or busted door handle).
Because most organizations are unaware of this type of attack, they don’t know to protect against it. And because the attack itself does not raise an alarm, organizations may not even know they’ve already been compromised.
How to protect against this attack
To protect your organization from this kind of attack, SecureState recommends the following:
- Determine whether you’ve vulnerable. Identify applications that provide remote access to the internal network or provide access to sensitive data. Evaluate these applications to determine if an anti-CSRF token is in use. Some expertise may be required to confidently identify the vulnerability—for instance, a Web Application Penetration Test will identify the vulnerability, but a simple application vulnerability scan may not. OWASP also provides instructions on how to build a simple page to send a CSRF attack on their testing for CSRF page.
- Implement CSRF protections. To prevent this vulnerability, apply anti-CSRF tokens and configure the authentication page to check standard headers to verify request origin. There are several implementations that can be used, and for more detailed instructions, see the OWASP CSRF Prevention Cheat Sheet.
- Guard against phishing. This attack only works if users fall for phishing emails. To protect against phishing, implement technical security measures such as publishing an SPF record and flagging external emails. Conducting security awareness training by educating users how to detect and report a phish will also help reduce the vulnerability. Finally, running regular phishing campaigns and assessments reinforces the training and allows your organization to address potential weaknesses.
Spread the word.
Because this attack is relatively unknown, many organizations and vendors aren’t doing enough to protect against it. By helping to increase awareness, you can ensure that your team and your partners are informed, prepared, and protected before an incident occurs.