What is Cross Site Request Forgery CSRF | Example and Methods of protection

What is CSRF Attack?

  • It is easy to carry out on websites/web applications that skip validating if action is with or without the user’s consent.
  • While XSS concerns breach of user’s privacy by a website, CSRF relates to the circumstance where the user exploits the website. One must gather more information in XSS v/s CSRF for distinguishing between these vulnerabilities at a deeper level.
  • It doesn’t interest using JavaScript or any other sort of code for successful execution.
  • Single-page applications are likely to have a higher chance of being a CSRF victim as they store the CSRF token as cookies, which are favorite of the threat actors.

What is a CSRF token?

How does CSRF work?

  1. A privileged action happening on the website, such as, an action causing altering user-focused data.
  2. The target site, during the user identity validation, must use at least 1 HTTP request while session cookies also are enabled.
  3. No part of user request is hidden or non-readable for the attacker.
  • Creating a manipulated script or URL
  • Luring John to use the corrected URL/script via social engineering

When website accepts GET requests

GET http ://money.com/transfer.do?acct=JENA&amount=500 HTTP/1.1

When websites accept POST requests

POST http ://money.com/transfer.do HTTP/1.1acct=JENA&amount=500
<form action="http://money.com/transfer.do" method="POST"><input type="hidden" name="acct" value="Leo"/><input type="hidden" name="amount" value="5000"/><input type="submit" value="Check my pictures"/</form>

When a website is using other HTTP methods

How to detect cross site request forgery?

  • Websites allowing session management through GET requests. Third-parties can get easy access to such sites. So, they are more prone to CSRF attacks. Make sure your site is not among them.
  • Web Proxies are very helpful in CSRF detection. As it keeps track of HTTP requests’ journey from beginning to end, you can replay requests without initiating an interaction with the client-side interface of the app.

How to Prevent CSRF Attack?

  1. A ‘Strict’ value will stop cookies transfer by browsing.
  2. ‘Lax’ is the default value that maintains security for web solutions when they wish to allow user-access requests composed of external links. Presently, most browsers have this feature as an added line of defense against CSRF attacks while using the CSRF token alongside.
  3. The value ‘none’ is used you want to use cookies for accessing cross-site URLs.

How to prevent CSRF attack in Javascript?

Is it necessary to protect API from CSRF attacks?

--

--

--

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AI in cyber operations

Signature Based & Behavior Based Detection

How is the Health of your Company’s Password Policies?

Are you really GDPR Compliant? Can you afford not to be?

BitTorrent Weekly Report|12.13–12.19

The big hairy issue of regulating cyber-risk in EU financial services

Welcome to #AdaCards!

How to securely store CSM (and not only) tokens and NFTs?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

More from Medium

What is RAT Remote Access Trojan ❓ Detection and Removal

Analysis of Android malware faking Korean bank application

Hashing & Salting Part 2

OWASP UnCrackable App for Android Level 1 — Walkthrough