CSRF stands for Cross Site Request Forgery. It is a type of attack in which victim ends up executing unwanted actions on a web application unknowingly. This vulnerability has been in the top 10 vulnerabilities list that is published by OWASP (Open Web Application Security Project). Although the threat level has been reduced over the years, this one is still maintaining the top 10 position.
What is CSRF exactly?
Cross-Site Request Forgery is a vulnerability in a websie that allows attackers to force victims to perform security-sensitive actions on that site without their knowledge.
Important points to note:
- This is a vulnerability in the website. Although triggered from the client side, the client is completely unaware of any such thing happening in without her knowledge.
- It is possible to change the state of sensitive information through this vulnerability.
- The victim ends up executing the action even without her knowledge.
This is not something like phishing attack where the responsibility lies with the client. Here it is completely web application’s responsibility to provide protection against CSRF. [Although many-a-times phishing attack needs to be used to exploit CSRF]
How does it work?
The targeted user receives an email or a link which prompts the user to click and visit a webpage. The webpage itself could be genuine and may not even prompt for user credentials or may not look like the vulnerable site. However, when the page opens, it carries out certain actions in the background like submitting a form to the vulnerable website which changes password or email address or some other sensitive information. Pre-requisite for this to happen is that the target user is logged in to the vulnerable site and hence is having a valid session.
Why does it work?
As per the protocol, browsers are required to send all the available cookies with every request for a given website. When a user logs into a web application, a session is generated and that session id becomes the identity for that user for that session. Let’s say the target user is logged into a bank website and when that session is active, she receives a mail which prompts to click on a link. That link opens a webpage, which in the background submits a request to the bank website to change the email address. If the bank’s website is vulnerable, then this request would go through with the target user knowing about it and the hacker will get complete control of that bank account.
There are various technique to prevent CSRF:
- To include a unique token with each request which is unpredictable and difficult to guess. If the token is included in the submitted data, then only the request would be executed.
- Disallow CORS (Cross-origin requests) i.e. allow requests from same origin only.
- Double Submit Cookie.
Security, XSS, Sidejacking, Web Application
One Reply to “CSRF”