Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is also known as “Session Riding” or “One-Click Attack”. This attack is a Malicious Exploit type of attack against web application users. This attack has been listed as 7th most exploitable among 10 top Web Attacks. CSRF is an attack which allows an attacker to perform unauthorized POST/GET arbitrary HTTP requests on behalf of the victim that is currently authenticated to the website.

we can prevent from this attack in web applications. In addition to that, I will be discussing two major security patterns, which we can implement for preventing CSRF attack.

A quick example

Before executing an assault, a perpetrator typically studies an application in order to make a forged request appear as legitimate as possible.

Let’s see a Facebook example,

In Facebook, used a session-id to identify the intended user. Let’s think about the normal Facebook users unfriend scenario.

what use does is simply enters his Username and Password to get in on Facebook. After entering his credentials on Facebook, it will authenticate the user and create a Session-Id. Later on, this session Id will be used to identify the user uniquely. And the important thing is the session Id will go along with the session cookie which is stored at the browser’s cookie storage.

In the Facebook was designed to use GET request to unfriend a friend, suppose URL looks like this,

http://m.facebook.com/users/unfriend?id=MyFriendID

In Facebook, UI user simply selects the user and click unfriend button on the page, then this URL will trigger and unfried his friend. But imagine an attacker prepares that URL (shorten the URL using a URL shorter into https://sllit.girls.com/seehotgirls) to unfriend a user from the account and send that link to users to via chat or post.

The user does not know about that URL and he clicks on it. The browser is making this request unintentionally and friends will be removed from the Facebook account. This is how an attacker tricks a user to into execute an unwanted action and this problem is known as the Cross Site Request Forgery.

The assumptions of CSRF

In order to prevent from CSRF attack, some assumptions have to be verified:

• the attacked website does not check the Referer HTTP header, so that it accepts requests originating from external pages.
• The website accepts data modification via form submissions or URLs that have side effects which the attacker can exploit.
• The attacker can determine all the values for the request inputs. In the simplest case, authentication is done exclusively via a session cookie and so the attacker just has to fill non-sensitive fields.
• The user must load a malicious page containing the attacker’s code. Judging by the amount of Facebook Likejacking, clicking on everything that moves is a pretty common behavior.

So, to prevent from this CSRF attack security problem there are two major security patterns that we can implement.

1. Synchronizer Token Pattern
2. Double Submit Cookie Pattern

I will be discussing these security patterns in my next blog posts

Conclusion

The techniques described in this story are viable and worth a thought for any application that contains useful data.