Vulnerable when user clicks on a malicious link

Question

I am trying to understand a secure login authentication. The code to implement login functionality is in the following link. (In this scenario, a guid is used but in a real life scenario a better mechanism can be employed)

https://github.com/GrepSecurity/SessionFixationExample/blob/master/SessionFixationExample/SecureLoginFunc/SecureLogin.aspx.cs

Once the user has logged in, the welcome page has the code in the following link to check user authenticity. (This is the most common code I could find for verifying user authentication)

https://github.com/GrepSecurity/SessionFixationExample/blob/master/SessionFixationExample/SecureLoginFunc/SecureLogout.aspx.cs

I was thinking of one scenario where this can fail. Consider the scenario

1. Victim has logged in
2. Victim will have 2 session variables created at server. Ex: Session["userLoggedin"] = "Victim" Session["AuthToken"] = "GUID"
3. Victim will have a cookie created in his browser. Ex: Cookie["AuthToken"] = "GUID"
4. Attacker sends a malicious link to the victim that does some changes to his state (Sends friend request, deletes a user, logs the victim out....). Lets assume the link is as follows: www.somewebsite.com/Logout and this logs out the user.
5. Victim clicks the link, gets authenticated because the cookie from the browser i.e "GUID" is sent to the server and is validated against the session variable.
6. User gets logged out

I understand that there is no serious effect with the possibilities mentioned above, but still, can this scenario be prevented ? Or is this even a valid scenario ? Am I missing something ?

Here are my questions

1. Can this scenario be handled ? (Considering this is a valid scenario)
2. Am I referring to a secure code ?
3. What is this vulnerability ?
4. How can I mitigate this ?

Answer 1

In this example you mentioned this was an another attack scenario (CSRF).

What CSRF basically means: An attacker Performs an Action in behalf of the victim. This action or the origin request for this action will come from another site.

To protect against CSRF you may need to follow OWASPs Guideline. (https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md)

But for your example. Let's assume you want to protect the action called Order. There will be a token generated on your Server. This token will be then rendered or sent to the client. A valid Request would look like www.somewebsite.com/Order with Post Parameter Order=Something & Token="RANDOM_TOKEN"

This token will be afterwards checked by the Server before performing this operation.

The attacker nevertheless won't have access to this token if he is simply originating this request from another site/domain since it was rendered on the client's page.

Is it possible for the attacker to get access to this token?

Yes, it may possible if the application is vulnerable to (XSS). Using JS the attacker can send a malicious link to the victim with JS command that will

• Fetch the Rendered CSRF Token.
• Perform the Action with the token.

Although a usual case scenario for XSS to steal the victim's cookies. But in case the cookies were flagged with HTTPOnly a CSRF attack might be possible.