Thursday, 1 September 2011

Forced Browsing Attack

Forced browsing is XSRF attack in which a user is forced to browse a content without his/her knowledge. For example on this blog you can see several advertisements, all of them are real time examples of forceful browsing because you can't control their existence while browsing to this blog. A site is called vulnerable to forced browsing XSRF attack if it processes a request directly without notifying a user. For example consider a website www.victimsite.com is vulnerable to forced browsing XSRF attack. Now suppose you want to buy Bit Defender anti-virus from www.victimsite.com so when you click add to cart button on website, it will process your request by URL which might appears something like this,


www.victimsite.com/software/antivirus.php?product_id=123456

without notifying user about his/her request is processed, then that site can be surely attacked using forced browsing attack. Please note that above is just an example in real world stuff may vary according to the website. Now suppose an attacker want to take advantage of above vulnerability for his/her advantage then he/she will place an advertisement or review about product on his/her website and rather than putting a direct link in ADD TO CART button he will place a script in which he/she will add two or more products to get processed. Suppose the attacker adds link to a PHP script in which he/she also specifies visitor to buy one more product then most likely the script will appear as follows,

<?php

/**** Some Lines of Code *****/

header ('Location: www.victimsite.com/software/antivirus.php?product_id=123456 ');

/**** Some Lines of Code *****/

header ('Location: www.victimsite.com/software/antivirus.php?product_id=654321 ');

/**** Some Lines of Code *****/

exit;
?>

in fact even following code in script will work,

<?php
header ('Location: www.victimsite.com/software/antivirus.php?product_id=123456 ');
header ('Location: www.victimsite.com/software/antivirus.php?product_id=654321 ');
exit;
?>

but attacker will not take any chances so he/she will surely craft code more carefully. Now when the victim will be checking out, his/her cart will be having two products instead of one and he/she will be fooled to buy an extra product.

Again a site which does not create a random cookies for registering product to cart is also vulnerable forced browsing attack. If cookies remain static for some product then surely an attacker will pick up the product cookie value and craft his/her script to intentionally add that cookie to browser on which victim user is browsing so that when he/she will check out he/she will have to pay for more than one product. Please note that such sites are more dangerous than sites which can be attacked using URLs.

Now the final words for the day. At practical level there's no way you can ever understand a site is vulnerable to these kind of attacks unless you have experience with web development tools and web application development. Everything explained above are nothing but basic examples specialty crafted so that even a nerd can understand forced browsing XSRF attacks but reality is that when an experienced web developer or web application developer will read this he/she will surely find out several variations can be made to above method to put on a real attack. In other words a person with no knowledge of web development or web application development can hardly figure out whether a site is vulnerable to attack or not and even if he/she figures out he/she may hardly have any idea about how to exploit it.

1 comment: