Introduction to Cross-Site Request Forgery (CSRF)

Introduction

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. This is done by crafting a malicious request and tricking the end user to submit the request to the web application.

This not an attack to steal data, since the attacker can not observe the response to the forged request. CSRF attacks specifically target state-change requests. Before looking at the various instances of a CSRF attack, let me explain it with a simple example.

Examples

GET method

Let’s Assume there is a web application called “FreeBook” which has a customer feedback form.

Feedback form

HTML code for the feedback form

The actual intention of this form is to get a genuine feedback from the user and store it in a database. Once the form is submitted, the GET request would be like this ;

http://freebook.com/store_feedback.php?message=dummymessage

An attacker cannot solely use similar GET request like this to send a feedback since it would be authenticated.So, what else can the attacker do?They can try to trick the end user to send a GET request in behalf of the attacker. The attacker can send an e-mail with a crafted link,

This would allow the attacker to send any message as a feedback through the end user’s Freebook account.

Note: This would only work discreetly if the end-user has already logged in to Freebook’s account.

POST method

With POST, the attacker can no longer use <a> or <img> to send the state change request to the web application. The data must be delivered through the body of the text. This can be done using a <form>.

This is the basic idea behind a CSRF attack. For further notes and information click HERE.

RISKS

CSRF attacks like this are used for state-change requests. For example, the attacker can craft a form to delete the user’s posts,profile picture or their account. In addition, with the right values an attacker can perform any function of the user’s account to their advantage.

PREVENTION

This attack can be eliminated if we could come up with a method to verify, whether the request is given by the user intentionally. To achieve this there are two methods.

1. Synchronizer Token Pattern
2. Double Submit Cookie Pattern

In my upcoming blog posts, I will be demonstrating implementations of both the methods.

If you have any questions regarding CSRF, feel free to comment below. I will try my best to answer them.