Cross-Site Request Forgery
- Cross-Site Request Forgery, or CSRF for short is a common and regular online attack. CSRF also goes by the acronym XSRF and the phrase “Sea-Surf”.
- CSRF attacks include a malicious exploit of a website in which a user will transmit malicious requests that the target website trusts without the user’s consent.
- In Cross-Site Scripting (XSS), the attacker exploits the trust a user has for a website, with CSRF on the other hand, the attacker exploits the trust a website has against a user’s browser.
Basically, an attacker will use CSRF to trick a victim into accessing a website or clicking a URL link that contains malicious or unauthorized requests.
It is called ‘malicious’ since the CSRF attack will use the identity and privileges of the victim and impersonate them in order to perform any actions desired by the attacker, such as change form submission details, and launch purchases or payments for the attacker or a third-party account.
- Upon a request against most websites, browsers will include along any credentials related with the particular website, such as the session cookie of the user, basic authentication credentials, the IP address of the user, etc.
- Thus, if user’s authentication session is still valid, an attacker can use CSRF to launch any desired requests against the website, without the website being able to distinguish whether the requests are legitimate or not.
A Simple Example of a Cross-Site Request Forgery
- As described above, in order for a CSRF attack to be performed, the user must be authenticated with the target website.
- Assuming the victim is authenticated, the attacker can include a link or script in a third-party website that the victim visits.
- Thus, when the victim visits that website or link, the rogue script will be executed without the victim being aware of it. For instance, in a chat forum, an attacker posts a message which contains an image tag or an HTML image element.
- However, the source of the image contains a link which performs an action on a victim’s bank website account.
- So, instead of an image file the attacker has included a link that performs a bank transaction. Below is an example of the image tag containing a rogue URL.
Preventing Cross-Site Request Forgery (CSRF) Vulnerabilities
- The most common method to prevent Cross-Site Request Forgery (CSRF) attacks is to append unpredictable challenge tokens to each request and associate them with the user’s session.
- Such tokens should at a minimum be unique per user session, but can also be unique per request.
- By including a challenge token with each request, the developer can ensure that the request is valid and not coming from a source other than the user Finding and Remediating Cross-Site Request Forgery (CSRF) Vulnerabilities
- The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user.
- Without such an unpredictable token, attackers can forge malicious requests.
- Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets