What is a CSRF attack?
cen1
I am sure every single player has stumpled upon this annoying message without any idea what the hell it means. CSRF attack is a type of a web attack which could sound quite technical to newbz but I will try to explain it the best way possible.
1. How interwebz work
The most simple way to describe the internet is in 3 steps:
1. You send a http request to a web server. For example "Give me a page at www.erepublik.com"
2. The web server at erepublik.com generates the requested page and sends it to your browser (or just sends the headless chicken in most cases)
3. Your browser renders the page
2. How can CSRF attack harm me?
Imagine this situation:
1. You are logged in to erepublik
2. Someone in shouts or on irc channel sends you a link to what seems to be a picture of a kitten. Or maybe a form to get tanks or really whatever he wants to lie about.
3. You click the link
4. The website you just opened is malicious. Via javascript/fake image link/hidden iframe etc... it sends a request to erepublik.com to donate money to the attacker.
How is it possible that some random site can send such a request to erepublik server you say? Well first thing first, you are already logged in to erepublik. With javascript you can also submit any form data to anywhere you want. The fake website can also contain something as simple as an image:
http://erepublik.com/donate?amount=100?to=id_of_attacker">
Your browser sees this "image" and tries to send a request to the server to get the image. But it's not an image.. it's a link to donate your money to the attacker. The image will obviously be broken but that does not matter.. the request was already sent. This is just an example because donations on erepublik do not go through link parameters but I hope you get the idea.
The actual way the donations work is via POST request, for example, this is the http header sent to erepublik web server when you donate:
POST /en/economy/donate-money-action HTTP/1.1
...random stuff which we don't have to explain...
citizen_i
😛2417760 <-- you send to this guy
amount:1 <-- how much gold/cc
currency_i
😛1 <-- gold or cc
_token
😛ea285420f0605742b02907d55254bee
If the attacker's website can send this information to erepublik web server you lose your gold/money. Or change your password.. or email.. or do anything really. It is as if you personally completed the form and clicked the Donate button except it was done by a malicious website. Hmm but what is that _token thing that we send from the form? Let's see that in point 3.
TLDR:
-you are logged in to erepublik or have autologin cookie
-you open a malicious website
-the website sends a request to erepublik.com servers to do something bad to your account. It can be via javascript, image links or some other method.
3. How to prevent a CSRF attack?
The usual way to prevent CSRF attack is by form tokens. When you login, the website generates a random string of some length and that is your token for that login session.
This random token is then added to every single form in the game and you send it together with other information everytime you submit the form. The web server then compares your sent token with the one it has stored at the start of the session and if they match your form submission is legit.
How does this prevent the attack? Well, check the HTTP header in bold above. If the attacker is erepublik player he can easily check in page source what parameters he needs to send, he can check your player ID and currency id is just 0 or 1. So the attacker knows all the parameters which need to be sent.. except token. He can't know the token because it was randomly generated everytime you login.
But hey.. can't the attacker simply request the donation page with javscript and see the token this way? No.. there is something called "same origin policy" in webbrowsers which basically means that one open website can't request any other website outside it's domain.
From W3.org about same origin policy:
An origin is defined by the scheme, host, and port of a URL. Generally speaking, documents retrieved from distinct origins are isolated from each other. For example, if a document retrieved from http://example.com/doc.html tries to access the DOM of a document retrieved from https://example.com/target.html, the user agent will disallow access because the origin of the first document, (http, example.com, 80), does not match the origin of the second document (https, example.com, 443).
Although the same-origin policy differs between APIs, the overarching intent is to let users visit untrusted web sites without those web sites interfering with the user's session with honest web sites.
This makes sense because you can't just allow some random website to open your e-bank page right?
In order to circumvent the same origin policy, the attacker would somehow need to place his javascript code on erepublik.com page. This way the javascript being executed would be on the same domain as the page being requested. How could he possibly do that?? It's called an XSS exploit and we will learn about this exploit in our next lesson.
Ultimately, the reason why you get the CSRF attack error is because your login session expired and a new token must be generated. The only solution is to re-login.
Yes, I did get CSRF attack error when writing this article. One solution to the problem is to increase the login session time. Especially for article writers. Luckily at least now erepublik saves the article drafts for us.
Comments
pole!
Next Article: How to do CSRF and XSS attacks. See how long it takes the admins to take it down 🙂
I don't think that is actually against erep laws. I did not intend to write that anway. 🙂
XSS is illegal in the UK though(pretty sure) so you will need to teach everyone to go to the coffee shop or use a VPN.
I guess writing about the exploit with intent to teach someone how to avoid it or fight against it is different than actually using the exploit.
so this CSRF attacks do cats?
hvala za info
v
There are plenty of attacks and ways to avoid them, but the eRep code is so buggy that they just fail at it. If your user is annoyed because something is not working and it still does not prevent accounts from being hijacked, you are doing it wrong.
Lets not even get started on the passwords being sent plain text on login (no https anywhere) or the gazilion scripts people use that give full access to the account...
vote
[dunno if it is that what you have written in the article but..]
i always have a CSRF attack when i have in fact logged off erepublik already without me realizing it
so let's take the scenario i write a long comment* and then want to post it
1. i write in one tab (page in my browser)
2. copy the text
3. send text in the tab
->csfr attack because in fact i was logged out since before i done the step 2.
if i
1. write text in one tab
2. refresh other tab with erepublik to get send to the star page
3. login
4. now logged in i go back to old tab were i have writen the text and try to post
-> still csfr-attack and this even when i refreh the page before i try to post
=>i need to:
log in to republik AND open the page (with article where i want to post the comment) totally NEW again and only then i get no CSFR attack
___
*that's a very theoretical scenario as i don't write A comment but at least many and i don't write LONG comments but often longcat comments - but it is only used as an example so please bear with me
.
hint: to prevent this happening you can also
1. open ereppage with article, comment or other stuff you are writing at the moment
2. open a second tab/page with erepublik
3. write your stuff BUT from time to time go in the second erep-page and refresh the page to prevent the auto logout
4. copy the stuff you have written (to be sure) and then post your stuff without having a CSFR thingy
.
btw what is the auto-logout time at the moment?
5minutes?
Yep. As soon as you logged in you got a new token. The page where you are writing the comment still has the old one and that is why you get the error.
If you refresh the page in another tab before you get logged out it will prolong the session and everything is fine.
what still is surprising for a "only using this stuff"-guy like me is that (if i have seen it right) even if i login new and then go to the other tab with the old page and refresh it (!) it will still bring the CSFR
btw here is an other strange one:
1. get an alert or PM + don't open it
2. go to an RW select your side page
=> no alert/PM shown there but is shown again on every other page
or
if the red alertthingy is shown in the RW select your side page
1. open the alert page/PM so after that no red thingy is shown anymore on the pages
2. go to RW select your side-page
=> new PM or alert is still shown there
wtf is that? is it just me or is that normal?
wow, great article cen1, we want more articles like this. Big vote
jaz dobim CSFR attack napisano vedno, ko hočem izdati časopis, pa mi ne 'odpre' časopisa drugače, kot da mi odpre moj prejšnji (stari) časopis. ko popravim naslov na nov časopis in ga hočem bjaviti dobim CSFR.
če se po tem vrnem v časopis mi odpe časopis brez naslova, torej pripravljen za izdajo.ko tam vpišem novi naslov in objavim, je vse v redu in sledi objava, kot da ni bilo prej nič narobe.
lp mufekk
quien te conoce papa?
imagine what Dogs would do...
v+s 🙂