Cross Site Request Forgery (CSRF) – how clever hackers obtain access to your accounts

Written by BWG on . Posted in Security, Vulnerabilities

Most developers these days are well aware of the importance of validating user input. Validating user input prevents a user from injecting malicious code on your web forms. Injecting code into a form on a website is known as Cross Site scripting (XSS) and is different from CSRF. It is unfortunate that a lot of developers these days are not educated enough in security, and though they are successfully validating their input, they forget implement CSRF protections, a critical error that leaves the site vulnerable to attack. We are going to talk about CSRF, what it is, how to prevent it, and what can happen if you don’t.

Take this example: You are logged into your banks website which is vulnerable to CSRF. There are now certain functions you can do as a logged in user that pertain to your account, for instance deleting your account, editing your profile, or changing your password. CSRF will allow an attacker to gain access to your website functions and the things you can do while your logged in. The caveat is that you must have this tab open in your browser for the attack to work.

As a user who is unaware of what evil plot is underway, you click a link an email you got (or browse to a malicious website), and it brings you to a web page as expected. Meanwhile your still logged into your banks website, but have it on a different tab. This evil website then makes a request to your banks website, claiming you want to delete your account. The website has no CSRF protection, and goes ahead and deletes your account. You have no idea what just happened and go about your business.

hacker using csrf

This is a typical CSRF scenario. The bank had no way of telling if you legitimately clicked the delete account button, or if it was a malicious request from a site you were browsing. Since these requests happen in the background, as a user you have no way of seeing these requests happen. Simply browsing the web can lead to your account being compromised!

This could have been prevented if the developer writing the banks software was knowledgeable of CSRF. To prevent CSRF attacks on your website, forms and “state change” action buttons need to contain a token. A token is a unique set of randomly generated numbers and letters. So, say I have a form. The form contains a text area for a password change, asking the user what they would like to change their password to. We also must implement a hidden field (The user will not see this field, but it is sent to the user in the code that makes up the form, so its not truly hidden) and put our unique generated token in it. Now when I submit the new password, the server will expect this token to come back and be the same token that was supplied. If it is not then we can disregard the request as it had no token or it was invalid. This is how you can successfully prevent CSRF attacks.

If your website is vulnerable to both XSS and CSRF, It opens up a whole new world of hacking possibilities as the attacker does not need to trick you to clicking a link, or wait for the rare occasion where the user has the target vulnerable website tab open. By Injecting code on the website itself, the chances of you browsing on that page are a lot higher, and most people will fall victim to these kind of attacks.

To be safe, inputs should not only be validated and stripped of special characters, but also contain a unique token to check against. Doing these two things will thwart a lot of hacking attempts and keep you and your users safe from hackers.

For more information on this or other topics, or if you think you have been directly affected by one of these attacks, please call us at 855.355.SITE today.

WordPress 4.2.3 is here !

Written by Anthony D on . Posted in Security, Vulnerabilities, WordPress

WordPress, everyone’s favorite CMS, has a new version: 4.2.3 available today. This should be considered as a security release for all previous versions, and of course, we strongly recommend you to update your wordpress website immediately.

Here at Boston Web Group, we’ve seen tons of WordPress sites get hacked.  It’s a sad thing to see, but we’ve also learned a great deal about WordPress Hardening, Server Security, and plugin auditing.  That’s why we’re rolling out WP Compass – a fully managed and extremely secure WordPress hosting service.

WordPress versions 4.2.2 and earlier are affected by an XSS (cross-site scripting) vulnerability, which could allow users with the various permissions and roles to compromise your wordpress.

What is XSS? 

  • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

We want to Thank those at WordPress and on the amazing WordPress Core Developer team who have practiced responsible disclosure of security issues, and helped us all make WordPress a better CMS.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.

How do I upgrade my WordPress? Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.