2

I have a questions concerning methods for executing CSRF. I did the CSRF Prompt By-pass lesson in WebGoat (Lessons -> Cross-site Scripting -> CSRF Prompt By-pass). The lesson requires you to craft an email message that sends two malicious requests to a web app the that the recipient is logged in to. The first request sets a money transfer amount. The second is a confirmation request sent when the user would click "confirm" on a confirmation page.

I solved the task using JavaScript code that sends the requests as HTTP Post requests. I suppose another option would be using forms and JavaScript to submit the forms automatically.

My question is why do most people seem to solve the lesson using img tags or iframes with src set to the target URL with the necessary parameters? I'd expect a money transfer to be done using HTTP POST requests, not GET. Is there an aspect that would make using JavaScript code or forms an invalid or problematic method for CSRF? Is there a practical difference when compared to the aforementioned tasks? I believe authorization isn't it because you can have cookies sent JavaScript fetch and when submitting a form.

hubbabubba
  • 121
  • 3

2 Answers2

1

I can think of two major reasons why one might favour using img and iframe over a JavaScript proof of concept for the scenario you described above.

  1. There is this common mentality that I see among members of the security industry that simplicity is key when it comes to building proof of concepts. You will often encounter people trying to build the shortest payloads to exploit specific issues. Based on personal experience, your proof of concepts tend to be easier to understand and to share with fellow security researchers (this isn't always the case though as we see with XSS polyglots [1]). On top of that, it is also fun to try to shorten your payload (see "Code golf").
  2. When it comes to exploiting the issue, an adversary will probably want to cover as many edge cases as possible. Some users disable JavaScript in their browser which would render your exploit harmless. A non-JS-based exploit would solve this potential problem.
EdOverflow
  • 1,246
  • 8
  • 21
1

The reasons people use these tags instead of using JavaScript, IMO, are;
- Examples from early articles/publications
- Applications allowing users to post images/iframes (BBCode, Markdown, etc.)
- Pure HTML & ease of demonstration

The earlier examples used img or iframe tags because JavaScript XHR were not already available and probably not all browsers would allow executing scripts. And because of implementation differnces in browsers, scripts could have been broken easily.
Second, it's not uncommon to find applications allowing users to post images via Markdown or HTML img tags. However, they do not allow any JavaScript snippet or event handlers. These have already been used to target larger audiences in the past.
Thirdly, it doesn't require enabing JavaScript or be blocked by NoScript or similar. It's short and easy to demonstrate the attack.

These are only my reasonings. The real reason may differ and might conflict with mine. I'd appreciate any corrections.

1lastBr3ath
  • 909
  • 6
  • 13