What is Cross Site Request Forgery (CSRF)? Example, Mitigation and Prevention

According to the Open Web Application Security Project (OWASP), CSRF vulnerabilities are among the top 10 most critical web application security risks.

This blog will explain everything about CSRF attacks and the prevention methods to help you secure your website.

Let’s start by understanding what Cross-Site Request Forgery is.

What Is Cross-Site Request Forgery?

Cross-site request forgery (CSRF), also known as XSRF, Sea Surf, or Session Riding, is a type of cyberattack where a hacker tricks a user into performing actions on a web app without their consent, such as:

• Changing email addresses
• Transferring funds from their accounts
• Changing passwords or other undesired actions

As it cannot differentiate between a request generated by a user without their consent and a request generated by an original user, it exploits a vulnerability in a web application.

A CSRF attack harms users and businesses as sensitive data gets touched, damaging client relationships. In addition, these attacks are performed using malicious links or emails that confuse the victim when sending a forged request to a server.

Read on to find out how Cross-Site Request Forgery attacks are executed!

Also Read: What is Server Side Request Forgery (SSRF)? Types, Impact, Mitigation, Prevention

How Cross-Site Request Forgery Attacks Work?

Cross-site Request Forgery attacks are executed in two parts:

• Using social engineering techniques, attackers trick users into clicking on a link or loading a web page.  

• After the user clicks the link or visits the page, a request is sent from their browser to a trusted website (like their bank). The request looks real because it includes the user’s cookies containing their login information.

How the Attack Works:

• Cookies and Login: When you log into a website, your browser saves a cookie that keeps you logged in. This cookie is sent with every request, so you don’t have to log in again each time you do something new.

• Tricking the Website: The attacker’s request includes the user’s cookie, making it look like the user is making the request. Since the website sees the valid cookie, the request seems real.

• Taking Actions: The website can’t tell the difference between a request made by the attacker and one made by the user. This means the attacker can transfer money or change account details without the user knowing.

Types of CSRF Attacks

Below are some of the types of CSRF attacks.

Login CSRF

Login CSRF attacks aim to force a user to log into an account controlled by the attacker. After logging in as an attacker, any transaction or action taken by the victim will be directly attributed to the attacker. Also, they can access private information and post malicious content.

Stored CSRF

Here, the attacker stores malicious scripts on a vulnerable website. To craft a forged request, the script executes and forces the browser whenever the victim visits the site.

Cross-Site Request Forgery Attack Example

Let’s understand it using the following example.

For example, Robert has an online banking account on examplebank.com that is vulnerable to CSRF.

He visits the site and performs transitions daily. Meanwhile, an attacker wants to trick Robert into sending the amount to his account. To perform the attack, the hacker will:

• Build an exploit URL or script
• Trick Robert into clicking the URL

If the application was designed using GET requests to submit a transfer request.

One day, Robert was working on an active session with examplebank.com. He requested to transfer $500 to his friend with the account number 123456. The legitimate transfer will look like –

GET https://examplebank.com/onlinebanking/transfer?amount=500&accountNumber=275341 HTTP/1.1

Now, to successfully launch the CSRF attack, the malicious URL to transfer $500 to account 231998 will look like:

https://examplebank.com/onlinebanking/transfer?amount=5000&accountNumber=275341

With a social engineering attack, an attacker can fool ABC into clicking on the malicious URL.

Example of a disguised URL:

<img src=“https://examplebank.com/onlinebanking/transfer?amount=5000&accountNumber=275341” width=“0” height= “0”>

Because the malicious image tag was included in the email, this tag sends a request to the bank’s web app. The browser will still submit the request to examplebank.com; without any indication, the funds will be transferred to the hacker. 

What Is The Impact Of A CSRF Attack?

A successful CSRF attack significantly impacts both the business and the user, which may break the trustful relationship between the web server and the victim’s browser, altered passwords, unauthorized fund transfers, and stolen session cookies.

Depending on the user’s privileges within the application, the attacker can gain complete control of the user’s account. If the user has basic privileges, the damage will be up to a limit in their account.

Still, if the user has an administrator account, it can affect the entire web application, which results in data theft,  damaged client relationships, changed passwords, and many more. Further, attackers often use phishing emails with malicious links to amplify the impact of a CSRF attack. 

Cross-Site Request Forgery (CSRF) Protection Methods and Bypasses

With the rise of malicious attacks, companies use various protection methods to safeguard their websites from the attacks. These methods identify and reject the request generated by the attackers.

Below are some of the basic prevention methods for CSRF attacks. 

Anti CSRF Token

Generated by the server-side application, a CSRF token is a unique, incalculable, and secret value that checks the authenticity of requests made by a user. It is embedded in web forms or requests and remains unique to individual user sessions.

Recommended: Token-Based Authentication: Types, Importance, and Best Practices

When a request is submitted, the server checks if the token matches the expected value. If it matches, the request is considered legitimate.

Points to consider while generating the CSRF token:

• Use an established random number generator with enough entropy.
• For security, ensure the tokens are used only once and expire shortly.
• Verify if the set token and received token are the same.
• Make sure not to send CSRF tokens in HTTP GET requests.

SameSite Cookies

SameSite Cookies are used to protect the website against CSRF attacks. By setting the SameSite attribute on cookies, browsers can limit when cookies are sent in cross-site requests. This adds an extra layer of security without needing separate CSRF tokens.

How to secure a website with SameSite Cookies:

Websites should follow a security mechanism to protect against CSRF attacks, similar to using CSRF tokens.

Here’s how SameSite cookies can be used for CSRF protection:

Setting Session Cookies: When a user logs into a website, the site sets a session cookie in the user’s browser. This cookie keeps the user logged in and responds to their requests without requiring repeated logins.

Using SameSite Attribute: The SameSite attribute in the session cookie can be set to limit cross-site requests. This helps prevent CSRF attacks by ensuring cookies are only sent in specific contexts.

How do SameSite cookies work?

• If SameSite=Strict, it’s almost impossible for hackers to perform CSRF attacks.

• If SameSite=Lax, cookies are sent with “safe” cross-site requests.

• If SameSite=None, cookies are sent in all contexts, including cross-site requests. This disables SameSite protections, making the cookie vulnerable to CSRF attacks.

Referer-based Validation

Referer-based validation is another way to protect against CSRF attacks. HTTP uses a Referer header to verify whether incoming requests originate from the same domain as the application.

Here’s how it works:

When your browser makes a request to a website, it includes a Referer header that tells the server which page the request came from. The server can check this header to see if the request comes from the same site. If not, the server can reject the request to protect against CSRF attacks.

However, this method is less effective than CSRF token validation!

What Are CSRF Tokens?

CSRF (Cross-Site Request Forgery) tokens are a security measure that protects websites from CSRF attacks. These tokens help ensure that legitimate users, not attackers make state-changing requests (like transferring money or changing account settings).

How Does It Work?

CSRF tokens have two copies with distinct features:

• Server Copy: Stored securely on the server.
• Client Copy: Sent to the client as a hidden field in a web form or as part of an HTTP request header.

When the client makes an HTTP request to the server, the server compares the token from the client with the token stored on the server. If the tokens match, the request is considered legitimate. If they don’t match, the request is denied.

Recommended: What is Token Signing Certificate? How it Work?

How are CSRF Tokens Generated?

• CSRF tokens are generated using cryptographic techniques, specifically a Pseudo Random Number Generator (PRNG). This ensures that each token is unique and time-stamped.

• The token is embedded in web forms or HTTP request headers. When a request is made, the server checks that the token from the client matches the one stored on the server.

• The server automatically compares the tokens during each state-changing request. If the tokens don’t match, the request is rejected.

What Is The Difference Between CSRF and XSS?

Let’s understand the difference between CSRF and XSS.

XSS	CSRF
Two-way attack	One way only
Threat actors perform a code, receive a response, and pass it to the desired destination.	Enables attackers to generate a corrupted HTTP request.
JavaScript-based	HTTP-based
It does not require an active session with the targeted website.	It requires an active session to be completed.
The reach is out of range and enables attackers to do what they want.	The scope of attack is limited and only leads to clicking on malicious links or accessing corrupted websites.
The code gets stored on the targeted website.	The reach is out of range, enabling attackers to do what they want.
Can receive and send HTTP requests and responses.	Cannot review the response; only sends HTTP requests.
Requires vulnerability in the website.	Requires the user to click a link or access the malicious page.
The consequences are more serious.	The consequences are comparatively less severe than XSS.

Also Read: Cross-Site Scripting (XSS) Explained: Types, Impacts, and Proven Prevention Strategies

The Bottom Line

CSRF attacks are becoming increasingly common, which makes it essential for website owners to implement effective prevention methods. This guide explains what CSRF attacks are and how to prevent them. Following these tips can make your website safer and protect your users’ information.

FAQs

What is a CSRF Attack Example?

In a CSRF attack, the attacker tricks the victim into inserting the credentials on their page so they can post malicious content and access private information. For example, the attacker might trick the user into changing the email address, making a fund transfer, or changing the password.

What is CSRF also known as?

Cross-site request forgery (CSRF) is also known as XSRF, Sea Surf, or Session Riding.

What Scenarios are prone to CSRF Attacks?

CSRF attacks only work if the victim is logged in to the target website. Actions that don’t require authentication, like submitting a public contact form, are not vulnerable to CSRF.

Search