What is Cross-Site Request Forgery (CSRF)?



Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is an Internet exploit that involves a trusted website user issuing unauthorized commands. In contrast to cross-site scripting, which exploits the user's trust for a website, CSRF leverages a website's trust for a specific user's browser. Session riding or a one-click attack are other terms for the same thing.

The "GET" command of a browser is commonly used as the exploit point in a CSRF. To inject commands into a specific website, CSRF employs HTML tags like "IMG." A particular user of the website is then engaged as both a host and an unintentional accomplice. Because a legal user sends the commands, the website is often unaware that it is being attacked. The attacker may request that funds be transferred to another account, that more funds be withdrawn, or that money be sent to another account (in the case of PayPal and similar sites).

How is it executed?

A CSRF attack is tough to carry out since it requires numerous factors to succeed −

  • The attacker must choose between attacking a website that doesn't check the referrer header (standard) or a user/victim with a browser or plug-in fault that allows referrer faking (rare).

  • The attacker must find a Form submission on the target website capable of changing the victim's email address, changing login credentials, or transferring money.

  • The attacker must figure out the correct values for all of the inputs on the form or URL. The assault will fail if any of these are required to be secret values or IDs that the attacker cannot precisely guess.

  • The attacker must attract the user/victim to a Webpage with malicious code while the victim is signed in to the target site.

Consider Person A, who is simultaneously browsing his bank account and chatting in a chat room. An attacker (Person B) discovers that Person A is also logged in to bank.com in the chat channel. Person B entices Person A to follow a link to a humorous graphic. The "IMG" tag provides data for bank.com's Form inputs, which will transfer money from Person A's account to Person B's account. The attack will succeed if bank.com does not have secondary authentication for Person A before transferring funds.

Prevention of Cross-site request forgery

  • On the user's side − User-side prevention is ineffective in terms of surfing experience; prevention can be accomplished by simply opening one tab at a time and not using the "remember-me" feature.

  • On the server's end − The usage of CSRF tokens is one of the most prevalent methods for implementing CSRF protection on the server-side. A CSRF token is associated with a user's session but is not automatically submitted. A website will only proceed if it receives a valid CSRF token along with the cookies; An attacker cannot undertake actions on behalf of a user since the attacker has no way of knowing the user's unique token.


Advertisements