WHAT IS CSRF?

Introduction to CSRF?

Cross Site Reference Forgery is also referred as CSRF, and sometimes XSRF. It is a type of ‘fraud attack’ that utilizes the user’s credentials for entering the website and accesses the user’s data. It is usually executed by prompting an unknown link or page advertisement, asking the user to click on it and leading it to a deceiving malware. Another method of attracting an user into CSRF is, by sending scam links in the emails or SMS, and encouraging the user to access the links provided.

How does it work?

• It works only if the potential victim is authenticated.
• An attacker can enter into a website by bypassing the authentication process using a CSRF attack.
• CSRF attacks come into use, in the scenarios where a victim having additional rights performs some action and others can’t access or perform these actions. For eg, online banking.

CSRF Attack is Executed in Two Main Parts

• The first step is to attract the user/victim to click a link or load a page that is malicious. Social engineering is used by the attacker to trick the victim.
• The second step is to fool the victim by sending a forged request to the victim’s browser. This link will redirect the legitimate-looking requests to a website. The attacker will have the values or details from the victim which he must be looking for, a victim would have filled it thinking the request is legit. The attacker will also have the details of associated cookies with the victim’s browser.

Key Concepts of CSRF

• An attacker sends malicious requests to a site in which the user visits an attacker believes that the victim is validated against that particular site.
• Victim’s browser is authenticated against the target site and is used to route the malicious requests to the target site.
• Here, a victim’s browser or a site with CSRF preventive methods implemented on it, are not vulnerable, an affected website is the main vulnerability.

How can cross-site request forgery (CSRF) be prevented?

There are a number of CSRF preventive methods, few of them are:

• Log off the web applications while not working on it.
• Secure your usernames and passwords.
• Do not allow browsers to remember the password.
• While you are working in an application and logged into it, avoid browsing.

Anti-CSRF Tokens

The most common implementation to stop Cross-site Request Forgery (CSRF), is to use a token that is related to a selected user and may be found as a hidden form in each state, dynamic form present on the online application.

1. This token referred to as a CSRF Token works as follows:

• The client requests an HTML page that has a form.
• In the response of this request, the server appends two tokens. It sends one as a cookie and keeps other tokens in a form field that is hidden. These tokens are generated randomly.
• The client sends both the token back to the server once he submits the form. Cookie token is sent as a token and form token is sent inside the form data
• The server does not respond or rejects the request if a request doesn’t have both the requests.

Now an attacker who is trying to forge the request will have to guess the anti-CSRF tokens along with the user’s authentication passwords. These tokens get invalidated after some time and once the session gets over. This makes the attacker guess the token tough.

2. Same Site Cookies

There are some cookies associated with an origin or website and when a request is sent to that particular origin, cookies are sent along with it. Such requests are called cross-origin requests. While this process, cookies are sent to third parties, which makes CSRF attacks possible.

3. Same Site Cookie Attribute

• To prevent CSRF attacks, the same site cookie attribute can be used. It disables third-party usage for a specific cookie.
• It is done by the server while setting the cookie; it then requests the browser to send the cookie only when the user is using the web application directly.
• Now if someone tries to request something from the web application, the browser will not send the cookie.
• However, prevents the CSRF attack.

This has a limitation, same site cookies are not supported in modern browsers, while web applications that make use of same-site cookies aren’t supported in older browsers.

Examples of CSRF

Below we have explained some examples of CSRF:

1. Using GET Requests:

Suppose you have implemented and designed a website, banking.com, to perform actions such as online transactions by using GET requests. Now, a smart attacker who knows how to craft a malicious URL may use <img> element to get the browser silently load the page

Example of an HTML image element containing a malicious URL:

<img src="http://banking.com/app/transferFunds?amount=2500&destination=56789">

2. One of the below technique can be used to do the same:

• By sending an email which has HTML content
• By planting a script or a malicious URL on the pages that a user is likely to visit while doing online transactions.

3. Using POST Requests

There is a general misconception about HTTP POST requests that CSRF attacks can be prevented by allowing HTTP POST requests, which is actually not true. The attacker can create a form using HTML or JavaScript and use auto-submit functionality to submit the POST request without requiring the user to click on a submit button.

Conclusion

Cookies are vulnerable as they are sent automatically with the request, which allows attackers to implement CSRF and send malicious requests. The effect of a CSRF vulnerability also depends on the privilege of the victim, whose Cookie is being sent with the attacker’s request. While data retrieval is not the main scope of a CSRF attack, state changes will surely have an adverse effect on the web application being exploited. So it is advised to prevent your website from using preventive methods to safeguard your website against CSRF.