Web Application Security Series: Cross-Site Request Forgery (CSRF) Scenario

Cross-Site Request Forgery (CSRF) is an attack that forces an end-user to execute unwanted actions in a Web application in which he/she is authenticated. In this short and sweet Web application security series, I describe the workings of CSRF by using a practical online banking scenario. I also highlight 5 key lessons from the scenario for security considerations. Enjoy reading!

A typical scenario of CSRF goes as follows;

  1. A user visits his/her online banking website which has CSRF vulnerability.
  2. The user realises that the website has newly been designed with a new interface and he/she cannot find the money transaction function on the new interface.
  3. The user then opens a new tab on the browser and carries out a Google search with the key phrase “How to use the new interface of Bank JLK”.
  4. The user finds a website with information regarding the new interface of Bank JLK prepared by an attacker who is already aware of the CSRF vulnerability on the Banks website.
  5. A page on the attacker’s website contains a request to Bank JLK’s website and it’s about a money transfer from the user’s account to the attacker’s account.
  6. So when the user visits the attacker’s website, he unknowingly sends the money transfer request for the attacker.

Key lessons

  1. Bank JLK’s website is vulnerable to CSRF and the attacker knows about it.
  2. The user visits the attacker’s website while he/she is logged on to Bank JLK’s website.
  3. The attacker does not see the response of the money transfer request.
  4. The user needs to click a button on the attacker’s website to trigger the money transfer request.
  5. The attacker uses simple scripting to hide the actual buttons that trigger the money transfer request on his/her malicious page.

I hope this scenario has helped in improving your understanding of CSRF web application vulnerabilities. Don’t forget to follow and share this article with your friends.