A Cross-Site Request Forgery (CSRF) is a type of attack whereby a website with malicious intent will send a request to a web application that a user is already verified for. In other words, the request is sent from a malicious website the user visits to another website which the attacker believes the user is already authenticated for. These requests are routed to the target site which the user is validated for via their browser because their browser is authenticated against the site. This means that the vulnerability for this type of attack does not lie with the website which issued the CSRF nor the user, but with the web application. This will allow the attacker to access the functionality of the web application via the victim’s already authenticated browser. It is a type of attack that is frequently used against web applications which deal with social media, in-browser email clients, online banking, and web interfaces for network devices.
How it Works
The core thing with these attacks is that the attacker is exploiting how a target web application manages authentication. This is mainly dependent on if the user of the target web application is still logged into the web application via their browser. For example, if I visited an online banking website which had CSRF vulnerabilities and remained logged in, and another website I visit has a CRSF attack on that banking site, the attack would be executed as if I had done it myself. This means the malicious website could now take advantage of the online banking web application’s features, such as transferring funds to another account and could potentially steal all funds on my account through an embedded code on the iframe. Once the iframe is loaded on my browser, the code will be executed by the browser and thus, the funds will be taken and the attack successful.
Identifying the Vulnerability and Prevention Methods
The easiest way to identify if a web application would suffer from a CSRF attack is checking if each form and link has an unexpected and unpredictable token attached to each user. The forms and links in question should be those which focus on state-changing functions as they are the primary targets of the attacks. On the other hand, the CSRF tokens will make it difficult for a CSRF attack to be initiated as they will be associated with each user's session. They will be, at a minimum, unique to each user’s session or request and serves the purpose of authenticating that a request is indeed valid and from a user, not a malicious website.
Leave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.