Web Application Security Series: Cross-Site Request Forgery (CSRF) Scenario
Cross-Site Request Forgery (CSRF) is an attack that forces an end-user to execute unwanted actions in a Web application in which he/she is authenticated. In this short and sweet Web application security series, I describe the workings of CSRF by using a practical online banking scenario. I also highlight 5 key lessons from the scenario for security considerations. Enjoy reading!
A typical scenario of CSRF goes as follows;
- A user visits his/her online banking website which has CSRF vulnerability.
- The user realises that the website has newly been designed with a new interface and he/she cannot find the money transaction function on the new interface.
- The user then opens a new tab on the browser and carries out a Google search with the key phrase “How to use the new interface of Bank JLK”.
- The user finds a website with information regarding the new interface of Bank JLK prepared by an attacker who is already aware of the CSRF vulnerability on the Banks website.
- A page on the attacker’s website contains a request to Bank JLK’s website and it’s about a money transfer from the user’s account to the attacker’s account.
- So when the user visits the attacker’s website, he unknowingly sends the money transfer request for the attacker.
- Bank JLK’s website is vulnerable to CSRF and the attacker knows about it.
- The user visits the attacker’s website while he/she is logged on to Bank JLK’s website.
- The attacker does not see the response of the money transfer request.
- The user needs to click a button on the attacker’s website to trigger the money transfer request.
- The attacker uses simple scripting to hide the actual buttons that trigger the money transfer request on his/her malicious page.
I hope this scenario has helped in improving your understanding of CSRF web application vulnerabilities. Don’t forget to follow and share this article with your friends.