CSRF
Rangeforce

Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.

Time
45 minutes
Difficulty
Beginner

Rangeforce's Secure Coding Labs - Web Application Security Essentials - OWASP Top 10 - Cross Site Request Forgery

Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.

Overview

CSRF - Also known as Cross Site Request Forgery, is a method that is utilized in tricking a web browser(s) (plural), which translates into an action that is unnecessary towards the web-application in which somebody logs into. If successful, a CSFR attack can harm both a client/business and also the user(s) itself. This ultimately results in the following:

  • A Ruined Client-Relationship
  • Absolutely un-authorized money transfers (Crypto or monetary wise)
  • Changing of Passwords
  • Most importantly, stolen web-cookie sessions.

Now how this is performed is via ill-intent such as a "Phishing" scam, downloadable file via a link, etc that directs an end-user to a falsified server. In this server it is very difficult to determine what is called a "real" or "authorized" request from a fake/falsified attempt.

In a common scenario the following will occur:

1 - The attacker purposely falsifies a request for monetary value to said target. (a website).

2 - The attacker encodes and lays in a hyperlink and with that will send it to visitors who also are logged into the website(s).

3 - The visitor(s) click on the link (not knowing any better) which sends the data requested from the attacker and in essence, the website at this point fully validates the web request and transfers the requested funds from Point A to Point B. Note, Point B is the attackers requested designation.

To further exemplify how such an attach can work, the hacker will perform as many attempts as possible to get this right as there are such examples laying out in Github. Once the attacker understands better how this works the script (Scripting it utilized here) the request will usually result in a false hyperlink that ultimately has the requested fund(s) go into their account.

In the next step what typically occurs is that once the attacker is able to finalize a working script/example they will send it out to a large number of bank customers. (Again, after testing this on a small scale).

To prevent such attacks one may want to consider the following:

1 - Generate "Unique" random tokens for each and "every" session request.

2 - The double submission of cookies is also prone to detecting and therefore blocking CSRF attempts.

3 - Utilizing "Custom Rules". While many enterprises exist to prevent this, one can simply utilize their own policies with little to no practice and test this blocking method. More to cover in further documentation/labs/guidelines, etc.

GET requests are key here and understanding them is crucial to not only understanding if one is under attack but to also prevent such attack(s).