Updated March 14, 2023
Introduction to CSRF?
Cross-Site Request Forgery is also referred to as CSRF, and sometimes XSRF. It is a type of fraud attack’ that utilizes the user’s credentials for entering the website and accesses the user’s data. It is usually executed by prompting an unknown link or page advertisement, asking the user to click on it, and leading it to deceive malware. Another method of attracting a user into CSRF is by sending scam links in emails or SMS and encouraging them to access the links provided.
How does it Work?
- It works only if the potential victim is authenticated.
- An attacker can enter into a website by bypassing the authentication process using a CSRF attack.
- CSRF attacks come into use in the scenarios where a victim having additional rights performs some action and others can’t access or perform these actions. E.g., online banking.
CSRF Attack is Executed in Two Main Parts
- The first step is to attract the user/victim to click a link or load a malicious page. The attacker uses social engineering to trick the victim.
- The second step is to fool the victim by sending a forged request to the victim’s browser. This link will redirect the legitimate-looking requests to a website. The attacker will have the victim’s values or details, which he must be looking for; a victim would have filled it thinking the request is legit. The attacker will also have the details of associated cookies with the victim’s browser.
Key Concepts of CSRF
- An attacker sends malicious requests to a site where the user visits an attacker believes that the victim is validated against that particular site.
- The victim’s browser is authenticated against the target site and is used to route the target site’s malicious requests.
- Here, a victim’s browser or a site with CSRF preventive methods implemented is not vulnerable; an affected website is the main vulnerability.
How can Cross-Site Request Forgery (CSRF) be Prevented?
There are several CSRF preventive methods; few of them are:
- Log off the web applications while not working on them.
- Secure your usernames and passwords.
- Do not allow browsers to remember the password.
- While you are working on an application and logged into it, avoid browsing.
Anti-CSRF Tokens
The most common implementation to stop Cross-site Request Forgery (CSRF) is to use a token that is related to a selected user and may be found as a hidden form in each state, dynamic form present on the online application.
1. This token, referred to as a CSRF Token
- The client requests an HTML page that has a form.
- In response to this request, the server appends two tokens. It sends one as a cookie and keeps other tokens in a hidden form field. These tokens are generated randomly.
- The client sends both the token back to the server once he submits the form. The cookie token is sent as a token, and the form token is sent inside the form data.
- The server does not respond or reject the request if a request doesn’t have both the requests.
An attacker trying to forge the request will have to guess the anti-CSRF tokens and the user’s authentication passwords. These tokens get invalidated after some time and once the session gets over. This makes the attacker guess the token tough.
2. Same Site Cookies
There are some cookies associated with an origin or website, and when a request is sent to that particular origin, cookies are sent along with it. Such requests are called cross-origin requests. While this process, cookies are sent to third parties, which makes CSRF attacks possible.
3. Same Site Cookie Attribute
- To prevent CSRF attacks, the same-site cookie attribute can be used. It disables third-party usage for a specific cookie.
- It is done by the server while setting the cookie; it then requests the browser to send the cookie only when the user is using the web application directly.
- If someone tries to request something from the web application, the browser will not send the cookie.
- However, it prevents the CSRF attack.
This has a limitation, same-site cookies are not supported in modern browsers, while web applications that use same-site cookies aren’t supported in older browsers.
Examples of CSRF
<class=”word”>Below < class=”word”>we have < class=”word”>explained < class=”word”>some <class=”word”>examples <class=”word”>of CSRF:
1. Using GET Requests
Suppose you have implemented and designed a website, banking.com, to perform actions such as online transactions by using GET requests. Now, a smart attacker who knows how to craft a malicious URL may use the <img> element to get the browser to load the page silently.
Example of an HTML image element containing a malicious URL:
<img src="http://banking.com/app/transferFunds?amount=2500&destination=56789">
2. One of the below Techniques can be used to do the Same
- By sending an email that has HTML content.
- By planting a script or a malicious URL on the pages.
3. Using POST Requests
There is a general misconception about HTTP POST requests that CSRF attacks can be prevented by allowing HTTP POST requests, which is actually not true. The attacker can create a form using HTML or JavaScript and use auto-submit functionality to submit the POST request without requiring the user to click on a submit button.
Conclusion
Cookies are vulnerable as they are sent automatically with the request, allowing attackers to implement CSRF and send malicious requests. The effect of a CSRF vulnerability also depends on the victim’s privilege, whose Cookie is being sent with the attacker’s request. While data retrieval is not the main scope of a CSRF attack, state changes will surely have an adverse effect on the web application being exploited. So it is advised to prevent your website from using preventive methods to safeguard your website against CSRF.
Recommended Articles
This has been a guide to What is CSRF? Here we discussed the key concept, Anti-CSRF tokens, how its works, and examples of CSRF. You can also go through our other suggested articles to learn more –
