Guide to CSRF (Cross-Site Request Forgery) | Veracode (2024)

When a user is logged into a website, the browser sends some form of authentication data as session information with each request to that website, such as a session cookie, client certificate, or other stored credential. A CSRF flaw means that site does not distinguish between intentional actions taken by the user and forged requests generated by a malicious link or script request.

Rates of Credentials Management Flaws in Software

Guide to CSRF (Cross-Site Request Forgery) | Veracode (1)

CSRF is one type of credentials management flaw. Some type of credentials management vulnerability exists in 42% of applications, according to Veracode static scan data.

While CSRF may be less common than, for example, the use of hard-coded passwords to operate certain types of devices, it is a form of insufficiently protected credentials. CSRF vulnerabilities may be especially concerning given how much people rely on web applications to manage important aspects of their daily lives and how much personal and business information is tied directly to web applications. CSRF attacks can also be used to exploit flaws in internet-connected devices from home routers to Internet of Things (IoT) devices—the same systems often vulnerable to other types of credentials management problems, such as hard-coded or default passwords.

This flaw is especially concerning to businesses and others with some type of administrator-level access to web applications. For example, people with access to the back end of a company's website may inadvertently send requests from an attacker. CSRF vulnerabilities can allow an attacker to gain administrator-level access or take over the site when a plug-in or module code that contains these flaws is active on the site.

How Cross-Site Request Forgery Attacks Work

CSRF attacks exploit flaws in the ways web applications handle authentication and credential checks. CSRF attacks require that the user is authenticated against the targeted site with some form of persistent cookie or credentials. This means that every request sent by their web browser to the targeted site will include those cookies or credentials. This is an important part of the functionality of most sites that require a user to log in. After all, people would quickly leave a social media or membership site that forced them to log in again every time they visit another page or open a new browser tab.

When CSRF requests are sent by someone who is not logged in, nothing happens; the request is simply discarded by the target site. When CSRF flaws are found in a site or application, these same requests from a logged-in user's browser can execute an array of state change requests.

Protecting a web application against CSRF flaws allows the application or target site to differentiate such unwanted requests from legitimate requests, and this protection can be achieved without detriment to the user experience.

In many cases, CSRF attacks originate from unwanted emails or questionable websites, so teaching users not to click phishing links can play some role in protection. However, the most powerful form of protection against this type of attack is to ensure that the request comes from a form that the user previously requested in the session to verify the information before submitting it.

Executing a CSRF Attack

In a Cross-Site Request Forgery attack, the attacker is exploiting how the target web application manages authentication. For CSRF to be exploited, the victim must be authenticated against (logged into) the target site. For instance, let’s sayexamplebank.comhas online banking that is vulnerable to CSRF. If I visit a page containing a CSRF attack onexamplebank.combut am not currently logged in, nothing happens. If I am logged in, however, the requests in the attack will be executed as if they were actions that I had intended to take.

Let’s look at how the attack described above would work in a bit more detail. First, let’s assume that I’m logged into my account onexamplebank.com,which allows for standard online banking features, including transferring funds to another account.

Now let’s say I happen to visitsomemalicioussite.com. It just so happens that this site is trying to attack people who bank withexamplebank.comand has set up a CSRF attack on its site. The attack will transfer $1,500.00 to account number 123456789. Somewhere onsomemalicioussite.com,attackers have added this line of code:

<iframe src="http://examplebank.com/app/transferFunds?amount=1500&destinationAccount=123456789" >

Upon loading that iframe, my browser will send that request toexamplebank.com,which my browser has already logged in as me. The request will be processed and send $1,500.00 to account 123456789.

Another Cross Site Request Forgery Example

I just bought a new home wireless router. Like most wifi routers, it’s configured through a web interface. The router was shipped to me with an internal IP address of 192.168.1.1. I’m having trouble configuring the router though, and fortunately the folks over atsomemalicioussite.comhave published a guide that shows me exactly what buttons to click in the router interface to get everything set up securely. The attackers have also set up a proxy server at 123.45.67.89 that will log all traffic that goes through it and look for things like passwords and session tokens.

As I clicked through the configuration guide, I missed the 1x1 pixel image that failed to load:

<img src="http://192.168.1.1/admin/config/outsideInterface?nexthop=123.45.67.89" alt="pwned" height="1" width="1"/>

The attackers knew that when I was reading their tutorial, I would be logged into the router interface. So they had the CSRF attack set up in the tutorial. With that request, my router would be reconfigured so that my traffic will be routed to their proxy server where they can do all manner of bad things with it.

Preventing Cross-Site Request Forgery Vulnerabilities

Organizations can easily prevent most CSRF attacks by the use of a CSRF token. These unique tokens can be appended to each sensitive request. By adding a challenge token to every state change request, from transferring funds to creating administrator accounts on a website back end, and properly checking that token when processing requests, developers can ensure that these requests are legitimately submitted by authenticated users.

Each time the server renders a page that includes sensitive actions, a unique CSRF token is passed to the user. For this system to work properly, the server must then only take the requested sensitive action when the token is fully validated, rejecting all requests with either invalid or missing tokens. One common error when implementing CSRF flaw checks is to reject requests that have invalid tokens but allow requests with missing tokens to proceed, rendering the token process ineffective.

Finding and Remediating Cross-Site Request Forgery Vulnerabilities

To check for CSRF vulnerabilities, look for forms that allow users to make requests and check to see if an anti-CSRF token is generated properly. Most modern web frameworks can be configured globally to include anti-CSRF tokens on all form pages and to handle the verification transparently. Any time a user can submit a state-change request, such as transferring funds, making a purchase, adding an administrative user, or changing a password, this request must be protected by a CSRF token. If a form is not intended to allow users to make this type of change, its scope should be constrained to prevent misuse by attackers.

CSRF tokens can also be combined with other types of protective coding, including ensuring that session cookies are set with the SameSite cookie attribute. This attribute allows developers to instruct browsers to manage whether cookies are sent along with requests from third-party domains. Online banking sites, for example, may want to use the strictest level of cookie protection. You can also add the HttpOnly attribute to protect against some forms of cross-site scripting flaws; doing so also makes CSRF attacks more difficult to execute, as cross-site scripting vulnerabilities enable some types of CSRF attacks.

Guide to CSRF (Cross-Site Request Forgery) | Veracode (2024)

FAQs

What is Cross-Site Request Forgery or CSRF? ›

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts.

What's the most effective measure to take against a Cross-Site Request Forgery CSRF )? ›

Common defences against CSRF

When attempting to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token in the request. This makes it very difficult for an attacker to construct a valid request on behalf of the victim.

What is the best practice for CSRF? ›

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token must meet the following criteria: Unpredictable with high entropy, as for session tokens in general. Tied to the user's session.

What three key conditions must be in place for a CSRF attack to be possible? ›

For a CSRF attack to be possible, three key conditions must be in place: An operation in the web application that provides value to the attacker. Cookie-based session handling. No unpredictable request parameters.

Is CSRF still a thing? ›

CSRF vulnerabilities can still occur on login forms where the user is not authenticated, but the impact and risk is different.

What is the most common result of a cross site request forgery? ›

While the potential impact against a regular user is substantial, a successful CSRF attack against an administrative account can compromise an entire server, potentially resulting in complete takeover of a web application, API, or other service.

What is CSRF for dummies? ›

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf (though note that this is not true of login CSRF, a special form of the attack described below).

What is an example of Cross-Site Request Forgery? ›

Cross site request forgery (CSRF) is a vulnerability where an attacker performs actions while impersonating another user. For example, transferring funds to an attacker's account, changing a victim's email address, or they could even just redirect a pizza to an attacker's address!

Is XSS worse than CSRF? ›

The consequences of XSS vulnerabilities are generally more serious than for CSRF vulnerabilities: CSRF often only applies to a subset of actions that a user is able to perform.

What is the first step in a CSRF attack? ›

Social engineering platforms are often used by attackers to launch a CSRF attack. This tricks the victim into clicking a URL that contains a maliciously crafted, unauthorized request for a particular Web application. The user's browser then sends this maliciously crafted request to a targeted Web application.

What is the first line of defense against a CSRF attack? ›

Proper User Authentication

Robust user authentication is the first line of defense against CSRF attacks. Implement authentication mechanisms that require strong, unique credentials for each user. Use secure hashing algorithms to store passwords, and enforce password complexity requirements.

Why are CSRF attacks difficult to detect? ›

CSRF attacks can be challenging to detect because they exploit the trust between a user's browser and a website. The malicious requests sent by attackers appear legitimate, as they carry the user's session data.

What is an example of CSRF forgery? ›

Let us consider the following example: Alice wishes to transfer $100 to Bob using the bank.com web application that is vulnerable to CSRF. Maria, an attacker, wants to trick Alice into sending the money to Maria instead. The attack will comprise the following steps: Building an exploit URL or script.

What is CSRF and how does it work? ›

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.

What is XSS and CSRF attacks? ›

XSS attacks exploit a user's trust in a website by injecting malicious scripts that run within the user's browser on trusted sites. In contrast, CSRF attacks exploit a website's trust in a user's browser, allowing attackers to perform unauthorized actions on behalf of the authenticated user.

What does CSRF detected mean? ›

Cross-site request forgery, often abbreviated as CSRF, is a possible attack that can occur when a malicious website, blog, email message, instant message, or web application causes a user's web browser to perform an undesired action on a trusted site at which the user is currently authenticated.

Top Articles
How to Increase Your Chances of Winning a Lottery: 13 Tips
How to Pick Lottery Numbers For the Next Draw
Encore Atlanta Cheer Competition
Myexperience Login Northwell
Math Playground Protractor
How to change your Android phone's default Google account
Women's Beauty Parlour Near Me
Tyrunt
O'reilly's In Monroe Georgia
Merlot Aero Crew Portal
Hay day: Top 6 tips, tricks, and cheats to save cash and grow your farm fast!
Clafi Arab
Steve Strange - From Punk To New Romantic
Grand Park Baseball Tournaments
How To Cut Eelgrass Grounded
Unit 33 Quiz Listening Comprehension
Minecraft Jar Google Drive
Skyward Login Jennings County
Ess.compass Associate Login
Hanger Clinic/Billpay
The Ultimate Guide to Extras Casting: Everything You Need to Know - MyCastingFile
Great Clips Grandview Station Marion Reviews
About My Father Showtimes Near Copper Creek 9
Galaxy Fold 4 im Test: Kauftipp trotz Nachfolger?
Toothio Login
Accuweather Minneapolis Radar
Rogue Lineage Uber Titles
Обзор Joxi: Что это такое? Отзывы, аналоги, сайт и инструкции | APS
Regina Perrow
Cable Cove Whale Watching
Santa Barbara Craigs List
Generator Supercenter Heartland
2487872771
Club Keno Drawings
Busted! 29 New Arrests in Portsmouth, Ohio – 03/27/22 Scioto County Mugshots
Leland Nc Craigslist
LEGO Star Wars: Rebuild the Galaxy Review - Latest Animated Special Brings Loads of Fun With An Emotional Twist
Western Gold Gateway
How Much Is Mink V3
Asian Grocery Williamsburg Va
Dynavax Technologies Corp (DVAX)
Best Restaurants Minocqua
Wilson Tire And Auto Service Gambrills Photos
Juiced Banned Ad
Craigslist Minneapolis Com
844 386 9815
Eat Like A King Who's On A Budget Copypasta
Advance Auto.parts Near Me
Espn Top 300 Non Ppr
Theater X Orange Heights Florida
Otter Bustr
Https://Eaxcis.allstate.com
Latest Posts
Article information

Author: Frankie Dare

Last Updated:

Views: 5571

Rating: 4.2 / 5 (53 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.