RESTful Programming and CSRF
By Daniel Miessler on March 29th, 2008: Tagged as CSRF | Information Security | Programming | Web Security
[ Edit: Disregard this post. It was written by an evil, stupid man impersonating me. No, not really. It's just wrong. The focus of REST is HTTP verbs, not actions within URLs. I knew that, but mentally pooped myself while writing this. ]
I just realized something while on the Twitter site. Shouldn’t sites built using REST principles be more susceptible to CSRF attacks? I’ve only studied REST concepts for a few minutes when building a little sample Rails app, so I could be totally off here, but follow me for a second.
REST
The concept here is for URLs to both indicate functionality to users, as well as provide that functionality. So a URL like:
http://acme.com/products/cart/display
…would display the contents of your cart. Nice, right?
And a URl like:
http://acme.com/account/delete
…would nuke your account. Again, as you would expect from reading the URL.
CSRF
Cross Site Request Forgery (Sea Surf) works by getting people to follow links, via a number of methods such as embedding links in IMG tags or just plain getting them to click them via social engineering.
The trick is that if you can get someone’s browser (or them) to follow a URL, while they’re logged into a given site, the “action” associated with that URL will be executed using their credentials. By credentials I usually mean a valid cookie. When your browser sends requests (even for images) to remote websites, and you happen to have a cookie for that site on your system, that cookie will be sent with ALL requests to that site. It’s kind of scary, really.
I did a proof of concept on this over at DSLR recently, where just by visiting a page I could log you out of your account there. I did that via the IMG tag trick. An image on the page pointed to the logout URL, so if you had a cookie for DSLR and loaded the fake image (which the browse does for you without your knowledge), you were logged out.
How It Would Work
So that’s the thing — RESTful URLs are associated with actions, and CSRF is based on getting you to visit URLs that have actions associated with them. Imagine a CSRF campaign against ACME company where tons of links are emailed out to ACME users with the following URLs in them:
http://somesite.com/product/1234/purchase http://somecause.com/campaign/donate http://favoritesite.com/account/terminate
Remember that if any of the people following those links have valid cookies for those sites, they could automatically have those things happen. And if the attacker uses the IMG trick like I demonstrated, the user wouldn’t even know anything took place because it would have been their browser that performed the action, not them.
Anyway, just a thought. Maybe something to think about when working with RESTful designs.: