CSRF (Cross-Site Request Forgery) Explained

Cross- Site Request Forgery (CSRF or XSRF), also called Client-Side Request Forgery, is a type of attack that targets web applications. It allows an attacker to induce users into accessing and changing a state on a website inadvertently.

In this article, we are going to explain how CSRF attacks work; why do they pose a threat to web applications; and what are some of the security safeguards that we can implement to protect our websites against them.

How does a CSRF attack work?

To better understand how the process works, let’s consider the following scenario.

Let’s say that a legitimate user is authenticated to their bank’s website. Now, let’s assume that this website is vulnerable to CSRF. A user can send money to other users from their account by accessing the following link:

www.bank.com/transfer.php?to=recipient&amount=1000

An attacker can forge a link that would make the logged-in user send him money, This link will look something like this:

www.bank.com/transfer.php?to=attacker&amount=1000

The attacker can then induce the legitimate user to access this link by sending it through a phishing email, or through another malicious website that the attacker controls.

Once the user clicks on the link, then an amount of 1000$ will get transferred to the attacker from the victim’s account.

This is just one example of the many CSRF attack scenarios. Other examples include password resets, items added to a shopping cart, and stolen sensitive information. All that without the user’s knowledge.

GET vs POST

For this reason, using the POST method for state-changing operations is preferrable. It does not include parameters in its link, and requires using a form to send these parameters.

Although the POST method is not entirely immune to CSRF, it just adds another step for the attacker and complicates the delivery process. Instead of delivering a simple link, the attacker will have to create an HTML page with a form that sends the malicious request to the victim’s website.

Web developers should not rely solely on the POST method as the solution to the problem, we will discuss more effective controls against CSRF later in this article.

Causes

When a user logs in, the website starts a session and provides the associated cookie to the user’s browser. From then on, the browser will include this cookie in all future requests. The website then trusts all requests originating from that browser.

Now, when a user with an active session receives a forged link from an attacker, and they click on it, the browser will include the user’s cookie with the request and the website will see that the request originates from a legitimate user with an active session.

Impact

In addition to attacks targeting end users, an attacker can use CSRF against users with privileged account, such as admins. When successful, this might give the attacker control over the entire web application.

All these are reasons enough to implement good practices to protect against CSRF attacks.

How to protect against CSRF?

Some of these good practices include:

  • A website should not permit state-changing operations based on GET requests.
  • Always limit session duration for connected users. Websites should terminate sessions whenever users leave the website.
  • Cross-Site Scripting (XSS) prevention controls should also be implemented, since XSS can be used to exploit CSRF.

More importantly, there are two main controls that can help in preventing CSRF attacks against a website, and these are CSRF tokens and SameSite cookie.

CSRF Tokens

SameSite Cookie

This article was just a brief introduction to Cross-Site Request Forgery (CSRF). It should be your first step in the topic. If you wish to learn more, you can check OWASP’s page about this attack.

Originally published at https://patchthenet.com on November 28, 2021.

A cybersecurity enthusiast, and founder @ Patchthenet.com