What is Cross-Site Request Forgery (CSRF)?
What is Cross-Site Request Forgery (CSRF)?
A Cross-Site Request Forgery (CSRF) is a vulnerability that allows an attacker to enforce a user to perform malicious activities on behalf of him. Weak access control may lead to this vulnerability which allows an attacker to perform critical actions like changing the password via the victim's interaction.
How does a CSRF work?
As we all know HTTP is a stateless protocol, most of the websites use session cookies for authentication. As the browser's well-known behavior, the browser sends cookies to each requests to the site automatically. So for further authentication, most of the web applications use some unique TOKENS for each requests. When web applications don't use such TOKENS or don't verify the TOKENS on the server-side, CSRF vulnerability arises.
An attacker can exploit the vulnerability by creating the same request on and sends the URL of the page which contains the vulnerable request to the victim. If the victim is logged in into the web application and he clicks on the button which triggers the vulnerable request, exploit is performed.
What attacker can do by exploiting CSRF?
Depending upon the type of the request which is vulnerable, An attacker can exploit CSRF to make the victim perform critical actions like, changing password, disabling 2 Factor Authentication, updating an email address, updating mobile number, deleting the account, etc.
As an attacker has no access to the response of the vulnerable request, CSRF can be exploited to update or delete the information. An attacker can not get any information via CSRF.
Example:
Suppose an application is using the following request to for disabling/enabling the 2-factor authentication:
Suppose an application is using the following request to for disabling/enabling the 2-factor authentication:
POST /manage/2fa HTTP/1.1
Host: vulnerablesite.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Cookie: session_id=xyz
enable_2FA=true
POST /manage/2fa HTTP/1.1
Host: vulnerablesite.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Cookie: session_id=xyz
enable_2FA=true
Host: vulnerablesite.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Cookie: session_id=xyz
enable_2FA=true
As we can see the above request is using only cookies for the authentication purpose, this is vulnerable to the CSRF. An attacker can create an HTML page with the above request and host it on any server.
As we can see the above request is using only cookies for the authentication purpose, this is vulnerable to the CSRF. An attacker can create an HTML page with the above request and host it on any server.
<form action="https://vulnerablesite.com/manage/2fa" method="post">
<input type="radio" id="xyz" name="2fa" value="false" style="visibility:hidden">
<input type="submit" value="Attractive Offers Only For You"/>
</form>
<form action="https://vulnerablesite.com/manage/2fa" method="post">
<input type="radio" id="xyz" name="2fa" value="false" style="visibility:hidden">
<input type="submit" value="Attractive Offers Only For You"/>
</form>
<input type="radio" id="xyz" name="2fa" value="false" style="visibility:hidden">
<input type="submit" value="Attractive Offers Only For You"/>
</form>
An attacker will send URL of this HTML file to victim via social engineering tactics. Once user clicks on the button "Attractive Offers Only For You", request will be sent with and browser will send cookies autometecally and 2-Factor Authentication will be disabled.
An attacker will send URL of this HTML file to victim via social engineering tactics. Once user clicks on the button "Attractive Offers Only For You", request will be sent with and browser will send cookies autometecally and 2-Factor Authentication will be disabled.
How to prevent CSRF?
The developer must use unique CSRF tokens for each sensitive request and verify it on the server-side. For additional security, the Referer Header comparison can also be helpful.
The developer must use unique CSRF tokens for each sensitive request and verify it on the server-side. For additional security, the Referer Header comparison can also be helpful.
0 Comments