top of page
shaun9968

Unravelling Cross-Site Forgery (CSRF)

Updated: Aug 14

Cross-Site Forgery, commonly known as CSRF or XSRF, is another type of security exploit that uses weaknesses in web page code.

 

In a CSRF attack, an attacker tricks a user's browser into making an unintended request to a web application on which the user is authenticated. This can lead to unauthorized actions being performed on behalf of the user without their consent. Imagine a user as a puppet and a website as the puppeteer. In a CSRF attack, the puppeteer (attacker) manipulates the puppet (user) to perform actions on a different stage (authenticated website) without the puppet's awareness.



Cross site frogery

CSRF attacks typically involve the victim being tricked into making unintentional and unauthorized requests to a different site rather than the one they are currently visiting. The attack relies on the fact that the victim is authenticated on the target site and their browser automatically includes the necessary authentication credentials (e.g. session cookies) when making requests.

 

In a CSRF attack scenario:

 

1. The victim is authenticated on Site A.

2. The attacker tricks the victim into accessing a malicious website or clicking on a crafted link.

3. The malicious website or link initiates requests to perform actions on Site A using the victim's authenticated session.

 

The key point is that the victim is still interacting with Site A, but the malicious requests are initiated by the attacker from a different context (malicious website or link). This separation is what allows the attacker to exploit the trust that the target site has in the user's browser.




CSRF is a serious attack technique! It works by manipulating the unwitting “logged on” user. The sequence of attack is:

 

1. User Authentication

-        The victim logs into a legitimate website, creating an active session.

 

2. Exploiting Trust

-        The attacker entices the user to visit a malicious website or click on a crafted link.

 

3. Unauthorized Request

-        The malicious website or link contains a request targeting the authenticated website, using the victim's active session without their knowledge.

 

4. Performing Actions

-        The request executes actions on the authenticated site, such as changing account settings, initiating transactions, or performing other sensitive operations.

 

 

Here are some real-world examples to demonstrate how devastating CSRF can be…

 

Stealing Money

 

-        User logs into online banking website (Stage A) and keeps the session active (ie web page open).

-        Later, they visit an innocent-looking malicious website (Stage B)

-        The malicious website secretly triggers a transaction on their behalf without their consent, transferring funds to an account chosen by the attacker.

 

Social Media Profile Hijacking

 

-        User logs into a social media site (Fortress A) and leaves their account open (web age open).

-        On another web page, they click on an enticing link from a different website, triggering a Trojan Horse.

-        The trojan horse uses logged on credentials on social media site to  secretly change the user’s profile information, post unauthorized content, or manipulate settings (e.g password). The user is locked out, and the hacker can do what they want with that social media account.

 

Email account tampering

 

-        The user is logged into their email provider page to check their email (Stage A)

-        They leave the page open and later visit a blog (Stage B)

-        The blog contains malicious content that exploits CSRF, subscribing the user’s email account to newsletters without their consent

-        The user’s mailbox is flooded with unwanted emails.

 

 

A CSRF attack could have huge security risks for the user (or organisation if the user is an organisational user!)

 

More Examples:

 

1. Unauthorized Transactions

-        CSRF can lead to the unauthorized initiation of transactions, which could range from fund transfers to changing account details.

 

2. Data Manipulation

-        Attackers can manipulate data on behalf of the victim, altering critical information stored on the target website.

 

3. Account Compromise

-        CSRF may facilitate account compromise by allowing attackers to change passwords, email addresses, or other credentials.

 

4. Malicious Actions on Behalf of the User

-        Attackers can make the user unknowingly perform actions that have severe consequences, such as deleting important data or modifying settings.

 

5. Session Impersonation

-        CSRF can be used to impersonate a victim, causing actions to be performed under the victim's identity.

 

Mitigation Strategies:

 

It is essential, therefore, for users (and their organisations!) to implement CSRF mitigation strategies. Some examples:

 

1. CSRF Tokens

-        Implement anti-CSRF tokens in web forms to validate that the request is coming from a legitimate source.

 

2. Same Site Cookies

-        Set cookies to "Same Site" attribute to prevent them from being sent in cross-site requests.

 

3. Referrer Policy

-        Use strict referrer policies to control the information sent in the HTTP Referrer header.

 

4. Custom Headers

-        Employ custom headers, such as the `X-Requested-With` header, to identify legitimate requests.

 

5. Secure Coding Practices

-        Developers should follow secure coding practices to minimize vulnerabilities in their applications.

 

 

Note that my previous two articles have covered web security vulnerabilities:

 

Cross site request forgery is just a further example of hackers using web vulnerabilities to cause damage.

 

Similarity between SQL injection and Cross site scripting has been acknowledged in a previous article. However, it is important to note that although the three techniques have common aspects, they do cause damage through differing mechanisms. As previously mentioned, the authority on web-based vulnerabilities such as these three is OWASP (Open Web Applications Security Project).

 

Here is a recap:

 

1.     CSRF (Cross-Site Request Forgery)

 

·       Nature: CSRF involves tricking a user's browser into making an unintentional and unauthorized request to a web application where the user is authenticated.

 

·       Think of CSRF as a puppeteer tricking the audience member (user) into unintentionally pulling strings on stage (making unauthorized requests). The puppeteer (attacker) orchestrates actions on behalf of the audience member without their knowledge.

 

·       Objective: The attacker aims to perform actions on behalf of the victim without their consent.

 

·       Prevention: Mitigated by techniques such as CSRF tokens, Same Site cookies, and secure coding practices.

 

 

2.     SQL Injection


·       Nature: SQL Injection is an attack where malicious SQL statements are inserted into user inputs, manipulating the database query executed by the application. 

 

·       Consider SQL Injection like an attacker inserting misleading letters into a pen pal exchange (user inputs). The recipient (database) unsuspectingly executes harmful instructions, leading to unintended consequences.

 

·       Objective: Attackers attempt to extract, modify, or delete data from the application's database.

 

·       Prevention: using parameterized queries or prepared statements, input validation, and least privilege principles.

 

 

3.     XSS (Cross-Site Scripting)

 

·       Nature: XSS involves injecting malicious scripts into web pages that are then executed by other users' browsers. 

·       Imagine XSS as someone sneaking malicious notes into a shared diary (web page). When others read the diary (visit the page), the hidden notes execute, causing mischief or stealing information without the owner's awareness.

·       Objective: Attackers aim to steal session cookies, deface websites, or perform actions on behalf of users without their consent.

 

·       Prevention: Mitigated by input validation, output encoding, and implementing Content Security Policy (CSP).

 

 

In summary, while CSRF focuses on unauthorized actions performed on behalf of a user, SQL Injection targets vulnerabilities in database interactions, and XSS exploits weaknesses in how user inputs are handled in web pages. Each requires specific prevention measures, and understanding these distinctions is crucial for building comprehensive web security.

 

Conclusion:


CSRF is like an identity thief who, once you've shown your ID to enter a secure building (authenticated website), uses a clever trick to make you unknowingly sign contracts or perform actions on a different premises without your awareness. Typically, these attacks involve the victim being tricked into making unintentional and unauthorized requests to a different site rather than the one they are currently visiting. Understanding and addressing CSRF vulnerabilities is crucial to maintaining the integrity and security of web applications, protecting both users and the data they entrust to online platforms. Security measures such as Same Site cookies and anti-CSRF tokens can help mitigate CSRF attacks by preventing unauthorized requests even when they originate from the same site. These measures add an extra layer of protection by validating the source of the requests and ensuring they come from legitimate, expected sources.

 

Useful Links:

 

OWASP Article on CSRF:

 

What is a CSRF token?

 

OWASP CSRF cheat sheet:

 

 

Note: Always ensure to refer to reputable sources and adhere to ethical guidelines when seeking information on cybersecurity practices.


14 views0 comments

Comments


bottom of page