Feasible Client-Side CSRF Token Brute Force Attack Revealed

An application security researcher has devised a proof-of-concept attack capable of bypassing commonly used cross-site request forgery (CSRF) protections, such as assigning random tokens associated with the session. The complete attack leverages on an older technique of searching the browser's history via CSS.

Cross-site request forgery (CSRF) is a type of attack where a website's default trust for an authenticated user is being exploited. It involves creating a maliciously crafted webpage or e-mail, which contains code that forces a user's browser to open a URL associated with a task on a third-party website, where that user is authenticated.

CSRF attacks are silent and are usually launched from legit, compromised sites, which the user would normally trust. For example, the browser of a user visiting a compromised page on somesocialnetwork.com could be directed to open someonlinebanking.com/operations?transfer=1000&account=123456789, where 1000 represents $1,000 and 123456789 is the account of the attacker.

In order to mitigate CSRF attacks, web developers associate unique, but randomly generated tokens with each user session. URLs defining an action must have such a token appended to them in order for the action to be executed on behalf of the user.

From a remote attacker's perspective, it would be very hard and, most of the times, useless to attempt to brute-force these tokens. "It generates [a] lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. […] Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30," Inferno explains on his SecureThoughts blog.

In order to overcome this protection mechanism, Inferno got the idea to use an already known technique of inspecting a user's browsing history via CSS. By applying this method, he is able to extract past and current tokens generated by a particular website, directly on the client side.

The resulting small list of tokens can then be used to brute-force an action by appending it to a URL. For this to work, the token must either not change during a session, or, if it does, the ones previously generated must remain valid. "Many times, this is the case as it enhances user experience and allows using forward and back browser buttons," Inferno explains.

The PoC example provided by the researcher works fine on tokens of five characters or lower, for which the key space can be brute-forced in less than two minutes. However, it is worth noting that increasing the token length will also significantly increase the attack's unfeasibility.

Other server-side mitigation solutions involve passing CSRF tokens via hidden form inputs, instead of appending them to URLs, or generating a new token for every form submit, while invalidating the older ones.