What is Cross Site Request Forgery CSRF | Example and Methods of protection

What is CSRF Attack?

A counterpart of XSS, CSRF is one of the multiples concerning cyber vulnerabilities wherein the authorized users are compelled to perpetrate something unaccepted or unauthorized action on the website that has authenticated them. By using two-factor login, password, and other means, a website authenticates the end-user and permits them access to the services/facilities of the website/application. This way, trust is built between end-user and websites.

  • It is easy to carry out on websites/web applications that skip validating if action is with or without the user’s consent.
  • While XSS concerns breach of user’s privacy by a website, CSRF relates to the circumstance where the user exploits the website. One must gather more information in XSS v/s CSRF for distinguishing between these vulnerabilities at a deeper level.
  • It doesn’t interest using JavaScript or any other sort of code for successful execution.
  • Single-page applications are likely to have a higher chance of being a CSRF victim as they store the CSRF token as cookies, which are favorite of the threat actors.

What is a CSRF token?

Crucial to keeping the occurrence possibility of CSRF attack as low as possible, CSRF token is a secure, and unique per-session token that is created at random. Challenge and synchronizer tokens are among the most common examples.

How does CSRF work?

Carrying out a CSRF attack requires fulfilling 3 conditions.

  1. A privileged action happening on the website, such as, an action causing altering user-focused data.
  2. The target site, during the user identity validation, must use at least 1 HTTP request while session cookies also are enabled.
  3. No part of user request is hidden or non-readable for the attacker.
  • Creating a manipulated script or URL
  • Luring John to use the corrected URL/script via social engineering

When website accepts GET requests

In that case, the money transfer request, made by John, will look like:

GET http ://money.com/transfer.do?acct=JENA&amount=500 HTTP/1.1

When websites accept POST requests

If the website obtains only POST requests then the John’s command will look like this:

POST http ://money.com/transfer.do HTTP/1.1acct=JENA&amount=500
<form action="http://money.com/transfer.do" method="POST"><input type="hidden" name="acct" value="Leo"/><input type="hidden" name="amount" value="5000"/><input type="submit" value="Check my pictures"/</form>

When a website is using other HTTP methods

Other than GET and POST, other HTTP request modes like PUT and DELETE are also used frequently. PUT-based HTTP requests will feature JavaScript in the manipulated page/URL. As advance browsers that we all are using presently enforce the same-origin policy, CSRF attacks on PUT and DELETE requests are not usually witnessed.

How to detect cross site request forgery?

Regardless of the type of vulnerability, early detection is the key to keeping the damage under control.

  • Websites allowing session management through GET requests. Third-parties can get easy access to such sites. So, they are more prone to CSRF attacks. Make sure your site is not among them.
  • Web Proxies are very helpful in CSRF detection. As it keeps track of HTTP requests’ journey from beginning to end, you can replay requests without initiating an interaction with the client-side interface of the app.

How to Prevent CSRF Attack?

When not dealt first-handedly, CSRF attacks can lead to data threats, money stealing, change of login details, and even losing control over crucial applications. Hence, along with the early detection, doable CSRF prevention strategies should also be deployed.

  1. A ‘Strict’ value will stop cookies transfer by browsing.
  2. ‘Lax’ is the default value that maintains security for web solutions when they wish to allow user-access requests composed of external links. Presently, most browsers have this feature as an added line of defense against CSRF attacks while using the CSRF token alongside.
  3. The value ‘none’ is used you want to use cookies for accessing cross-site URLs.

How to prevent CSRF attack in Javascript?

Security experts willing to prevent JavaScript from CSRF attack can use custom request header as it banks upon the SOP or Same Origin Policy approach in order to safeguard the JavaScript part of the app. This header can only be implied on the origin of JavaScript. However, JavaScript is not allowed to create custom headers by default by the browser.

Is it necessary to protect API from CSRF attacks?

CRSF attacks are on an all-time rise and there are no exceptions.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.