Cross Site Request Forgery [CSRF-XSRF] Vulnerability

November 21, 2016 | Views: 6047

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Cross-site request forgery [CSRF], also known as “one-click attack” or session riding or Sea-Surf and abbreviated as CSRF or XSRF, is a type of malicious attack exploit of a website (“Web Application”); where unauthorized commands are transmitted from a user that the website trusts. The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application and based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions with the web app.

If the targeted end user is an Administrator Account (“Admin“); a CSRF attack can compromise the entire WEB Application. Sites that are more likely to be attacked by CSRF are Community websites: Social Networking Sites, Email Providers, and Forums.

Or sites that have high accounts associated with them such as Banks and Stocks.

Utilizing Social Engineering (“S_E”); an Attacker (“Pentester/Hacker”) can embed malicious HTML or JavaScript code into an EMAIL or WebSite to request a specific TASK URL. The task then executes with or without the user’s knowledge, either directly or by utilizing a Cross-Site Scripting flaw.

CSRF attacks include a malicious exploit of a website in which a user will transmit malicious requests that the target website trusts without the user’s consent.

In Cross Site Scripting (“XSS”); the attacker exploits the trust a user has for a website, with CSRF on the other hand, the attacker exploits the trust a website has on a user’s browser.

Basically, an attacker will use CSRF to trick a victim into accessing a website or clicking a URL link that contains malicious or unauthorized requests (“Using here some of the Greatest Social Engineering tips/tricks”).

Upon a request against most websites, browsers will include along any credentials related to the particular website, such as the Session Cookie of the user, basic authentication credentials, the IP address of the user… thus, if a user’s authentication session is still valid, an attacker can use CSRF to launch any desired requests against the website, without the website being able to distinguish whether the requests are legitimate or not.

And here he is a picture of an example of this vulnerability:

 

CSRF example by TheBlaCkCoDeR

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
8 Comments
  1. Interesting! Please suggest a video where CSRF is demonstrated

  2. Good one mate .Thank you 🙂

  3. A really clear explanation of CSRF. I like that you clarified some of the jargon that is often thrown about without thought for the novice who may not have come across it before. Thanks for a good article.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 740 / December 14, 2019
How do I Get MTA Certified?
Views: 1312 / December 12, 2019
How much does your PAM software really cost?
Views: 1749 / December 10, 2019
How Do I Get into Android Development?
Views: 2139 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel