Is anyone familiar with CSRF?

Applying eValid to Rich Internet Application (RIA) Performance Monitoring.

Is anyone familiar with CSRF?

Postby TPittman » Thu Nov 03, 2016 5:49 am

One of the sites I'm monitoring uses CSRF cookies or tokens. I'm not familiar with this tool or practice or whatever it is, but the app owner says it's in use. He refers to it as though it's a cookie of some sort, but this value is kept in a hidden field on the form.
<input type="hidden" name="csrf_token" value="76760dba28242694a6821146aa8adea5" />
However, it's also showing up in the web log files when all is working correctly. But it's not coming through sometimes and the web page is returning a 403 error. See the attachment for some web log file extracts showing the csrf_connect cookie showing up certain times and not others.

So, eValid appears to be losing this value sometimes and this results in an error and the script fails. I am trying the introduction of delays in various parts of the script to see if that helps but I'm not sure what else to try. It's not a complicated script, just sometimes the login-submit works and sometimes it fails. When it fails, its because the CSRF token is missing and this results in a 403 error from the page.
Attachments
evalid-logcap.png
Screenshot of logs
evalid-logcap.png (77.18 KiB) Viewed 967 times
TPittman
 
Posts: 1
Joined: Tue Aug 09, 2016 7:59 am

Re: Is anyone familiar with CSRF?

Postby eValid » Fri Nov 04, 2016 11:46 am

TPittman wrote:One of the sites I'm monitoring uses CSRF cookies or tokens. I'm not familiar with this tool or practice or whatever it is, but the app owner says it's in use. He refers to it as though it's a cookie of some sort, but this value is kept in a hidden field on the form.
<input type="hidden" name="csrf_token" value="76760dba28242694a6821146aa8adea5" />
However, it's also showing up in the web log files when all is working correctly. But it's not coming through sometimes and the web page is returning a 403 error. See the attachment for some web log file extracts showing the csrf_connect cookie showing up certain times and not others.

So, eValid appears to be losing this value sometimes and this results in an error and the script fails. I am trying the introduction of delays in various parts of the script to see if that helps but I'm not sure what else to try. It's not a complicated script, just sometimes the login-submit works and sometimes it fails. When it fails, its because the CSRF token is missing and this results in a 403 error from the page.


Thanks for asking TPittman.

Good question.

From the post you gave some information, but ultimately to diagnose this you need to be able to use eValid in full-fidelity to see what is really going on.

In your own machine, try running the playback in "single-step" mode while you have the EventLog open.

That should help understand the dynamics.

But, you asked for suggestions on what might be going on and how to fix it.

(1) Are you sure that another instance of eValid is not deleting cookies between runs of the subject script?

There is only ONE cache and only ONE set of cookies.

A playback that deletes cookies might be the problem.

(2) Make sure your OWN script does NOT say "Delete Cookie?"

(You didn't provide the script so we have to ask you this obvious question, sorry).

(3) That you have a hidden element is not unusual, but the "csrf_token" is suggestive that that element may actually contain a JavaScript or possibly some intermediate variable or state value that elsewhere in the page is attempting to prevent spoofing of the URL?

To know this for sure you would have to use the PageMap to find the right element and extract its contents.

Just as suggestion this is at playback for debugging purposes do something like this:

# This sets the sourceIndex...
IndexFindEElement "csrf_token"
# This extracts the content of the token...
IndexSaveObjectProperty property-name some-local-file

Now you can see what's there.

Here is the reference page you'll need:

http://www.e-valid.com/Products/Documen ... bjProperty

(4) Cross-Site Scripting is a well-known hacking approach.

See this Wikipedia page:

https://www.owasp.org/index.php/Cross-S ... gery_(CSRF)

(5) Yes, it could be a timing issue; if the script works in single step mode and fails in automatic mode, then you have a playback synchronization problem.

See:

http://www.e-valid.com/Products/Documen ... n.dom.html

(6) Final suggestion, based on your observation that the incorrect behavior is not repeatable: sometimes the script works and sometimes fails.

Maybe that is the correct behavior?

-- eValid Support
eValid
 
Posts: 1730
Joined: Tue Jan 01, 2008 12:48 pm
Location: USA


Return to Rich Internet Application Monitoring (RIA)

Design Downloaded from free phpBB templates | free website templates | Free Web Buttons