All posts

Cross Site Request Forgery explained through q&a

What is someone attempting a CSRF attack trying to do?

In the most straightforward case they are attempting to get you to make requests you didn’t intend to, often by clicking on a link or image. These requests might be trying to alter a user password so the attacker can continue to act as the victim now knowing their password or transfer money from the victims online bank account into the attackers.

What is an example of a CSRF attack?

An attacker trying to transfer money out of user accounts of bank.com. This attacker could setup an email account similar to that of bank.com’s support email. Let’s say bank.com’s email address is support@bank.com and the attacker creates the email support@banks.com and then sends an email posing as the bank with links included in the email body like:

<a href="bank.com/transfer?to=theattacker@gmail.com&amount=2000 />

Clicking this URL would transfer $2000 from the victims account to the attackers, using the cookies stored in the victims browser as a means of authorization.

How are XSS and CSRF attacks different?

In an XSS attack the end goal is often to steal user credentials to gain access to their systems account.

In the case of a CSRF attack the object is to execute an unwanted action on behalf already logged in user, like a transfer money from victims account into the attackers account in a banking system.

Is the following an example of a CSRF attack?

Scenario: An attacker executes a script on behalf of a user that hijacks the credentials of the current browser window they are logged into and writes those credentials to a database so they can act on behalf of that user in the future?

It is not an example of a CSRF attack, this is a Persisted XSS attack. It would have been a CSRF attack if it was attempting to execute an action (example a bank transfer) without stealing the credentials for future use.

How is an attacker able to authenticate requests using the victims credentials?

Through the use of browser cookies.

Encrypted session cookies are often used as a means of authorizing a user to server resources and they are sent on every request to the server that issued them. An attacker could send you a link to bank.com and if your session cookie for bank.com isn’t expired, your credentials will be sent along with that request and the attacker will be authorized as you, if you click the link.

What measures should a developer take to ensure they are protected from CSRF?

To protect against malicious form POST requests websites can use a hidden input field generated by the websites application server, the value of which is an authenticity token that gets sent to the server along with the rest of the form values onsubmit. This token is then checked for validity before continuing with the intended POST action. An attacker could not create their own fake authenticity tokens because they would not have been generated by the server that created the form. Most modern web frameworks handle this in forms by default.

More Web Attack/Security Decks:

  1. Cross Site Scripting
  2. Man In The Middle Attack