Cross-Site Request Forgery – (CSRF)
Cross-Site Request Forgery (CSRF) is a type of web vulnerability that tricks a user into performing an unwanted action on a website where they are authenticated. CSRF exploits the trust that a web application has in the user’s browser, and it can lead to unauthorized actions, such as changing account settings, transferring funds, or performing other sensitive operations.
How CSRF Works:
- User Authentication: The user logs into a trusted website (e.g., a banking site) and is authenticated using cookies or session tokens.
- Malicious Website: The user is tricked into visiting a malicious website (which they may click on via an email link or pop-up ad) while they are still logged in to the trusted website.
- Request Sent without User’s Consent: The malicious website sends an unauthorized request to the trusted website on behalf of the user, using the user’s session (i.e., cookies or authentication tokens that are automatically sent by the browser).
- Action Performed: The trusted website processes the request as if it were initiated by the authenticated user. This could result in a harmful action, such as transferring money, changing the user’s password, or making an unwanted purchase.
Example of CSRF:
Scenario: A Banking Application
- Step 1: Alice is logged into her bank account, and the bank uses cookies to authenticate her.
- Step 2: Alice receives a message on a forum with a link that looks like a legitimate advertisement, but it’s actually a CSRF attack.The link points to the following request:cssCopy code
<img src="http://bank.com/transfer?amount=1000&toAccount=attackerAccount" />
- Step 3: Alice, unknowingly, clicks the link (or just loads the page). Her browser sends the request to the bank, with her session cookie automatically attached.
- Step 4: The bank processes the request, thinking that Alice authorized the transfer. As a result, the bank unknowingly transfers $1000 from Alice’s account to the attacker’s account.
CSRF Attack Example in HTML Form:
Here’s a simple example of how a CSRF attack might work by tricking a user into submitting a form:
<html>
<body>
<h1>Special Offer for You!</h1>
<p>Click below to claim your gift card.</p>
<!-- Hidden Form to submit the attack -->
<form action="http://bank.com/transfer" method="POST" style="display:none;">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="toAccount" value="attackerAccount">
<input type="submit" value="Claim Gift Card">
</form>
<script>
// Automatically submit the form to execute the CSRF attack
document.forms[0].submit();
</script>
</body>
</html>
In this example, the form sends a request to transfer $1000 to the attacker’s account. When the user visits this page while being logged into their bank, the browser will send the transfer request with the user’s authenticated session cookie, which the bank cannot distinguish from a legitimate action.
How to Prevent CSRF Attacks:
- Anti-CSRF Tokens:
- Add a unique, secret token to each state-changing request (e.g., submitting forms) that the server verifies.The token is usually embedded in the form and validated by the server to ensure the request is genuine and comes from the expected user.
<form method="POST" action="/change-password"> <input type="hidden" name="csrf_token" value="unique_token_value"> <!-- other form fields --> <input type="submit" value="Submit"> </form>
- SameSite Cookies:
- Use the
SameSite
attribute in cookies to restrict sending cookies cross-site.SameSite=Strict
orSameSite=Lax
can prevent cookies from being sent with cross-origin requests, reducing CSRF risks.
- Use the
- Re-authentication for Sensitive Actions:
- Require the user to re-enter their password or authenticate in some way before performing critical actions (like transferring money).
- Custom HTTP Headers:
- Use custom headers like
X-Requested-With: XMLHttpRequest
in AJAX requests, which browsers automatically reject for cross-origin requests if not set.
- Use custom headers like
- Check Referer Header:
- Validate the
Referer
orOrigin
HTTP headers to ensure requests are coming from trusted sources.
- Validate the
Conclusion:
CSRF exploits the trust a web application has in a user’s browser, allowing attackers to perform unwanted actions on behalf of an authenticated user. Mitigating CSRF attacks requires using techniques such as anti-CSRF tokens, SameSite cookies, and strong authentication for sensitive actions.
Recent Comments