What is a Cross-Site Request Forgery (CSRF) Attack?
Table of Contents
- By Greg Brown
- Apr 07, 2023
Successful hackers have the ability to find a specific vulnerability and turn it into millions of dollars if the account is large enough. Good hackers keep it simple by using the browser as a means to attack unwitting users.
Cross-site request forgery, commonly called CSRF, is an innovative attack method in which hackers use header and form data to exploit the trust a website has in a user’s browser.
Even though attack methods are similar, CSRF differs from XSS or cross-site scripting in which XSS is malicious code injected into otherwise benign and trusted websites. In contrast, CSRF forces users into unwanted actions where they are currently authenticated. Hacked administrator accounts can compromise the entire application.
The first documented use of CSRF came in 2005 when the world’s fastest-spreading worm ever, dubbed Samy, came into focus. The worm was designed to propagate across MySpace. Within the first 24 hours, over one million users clicked on the worm, which displayed the string “but most of all, Samy is my hero.” The worm was the first documented XSS in history that used a CSRF replication method.
Notable CSRF Attacks:
- 2006 saw Netflix with a challenging cross-site scripting problem that allowed hackers to add DVDs to a person’s account and change login credentials with addresses.
- In 2007, Gmail found several CSRF vulnerabilities early in its development cycle.
- Yahoo calendar permitted hackers to use CSRF to add malicious events to be scheduled.
CSRF attacks begin when the user logs into a compromised page and a rogue HTTP request is made from an authenticated browser to the application. If the attacker is adequately authenticated into the page, hackers can make a user’s bank account authorize transfers, change account information, and make charges.
One significant advantage for hackers is they rely on victims never logging out anymore. Attacks use social media to ensure unwitting victims visit the pages controlled by hackers using links or attachments.
Anatomy of CSRF Attacks
CSRF is a form of confused deputy attack: when a forged request from the browser is sent to a web server that leverages the victim’s authentication. The confused deputy is an escalation technique attacking accounts higher up on the food chain or network, such as administrators, which could result in a complete account takeover.
During the CSRF attack, the victim’s browser gets tricked into sending multiple HTTP requests to a web application according to hacker instructions. The victim’s HTTP requests include cookies with session headers. Cookies store the user’s session, so they do not have to keep re-authenticating.
The browser creates these small blocks of HTML to store session and user information. Cookies have been a security risk since two years after they were invented in 1994 by a Netscape engineer. Notable malware attacks have been routed through the innocent little cookie. Several types of cookies make up the landscape: session cookies, persistent, and supercookie.
Cookies cannot install or transport malware because of their small size and how HTML is written. Cookie authentication is vulnerable to CSRF, so security measures such as CSRF Tokens should be used.
If the application is vulnerable to CSRF, hackers can launch login attempts against banking and other financial accounts. The victim’s website will not be able to distinguish if the request is valid or compromised.
- Hackers forge a request for a fund transfer or other financial transaction and embed the request into a hyperlink.
- Working from a purchased or stolen list of victims, hackers text or email compromised links to whoever may be logged into the banking site at the time.
- The unwitting visitor clicks on the malicious link; the embedded request is sent to a bank’s website without the user’s knowledge.
- The website validates the request, and funds are transferred.
Who is Susceptible to CSRF?
With such a malicious nature to the cyber attack, it would be logical to assume it can go after any browser; fortunately, this is not the case. Websites that are more simple query and retrieval oriented are not susceptible to CSRF, as they do not perform any modification or updating, like a fund transfer. However, transaction sites such as your bank or e-commerce are heavily targeted by hackers. Most transaction sites rely solely on automatically submitted credentials.
Forums and message boards are highly susceptible to CSRF attacks. For example, hackers build a crafted message with sports teams or designer clothing images containing the embedded CSRF code. Users who click on the images or links in a post may compromise other members viewing the message.
Persistent cookies continue to be a security issue and are highly vulnerable to CSRF attacks. Many modern social media platforms feature an “always logged in” option. The target application could be triggered for an attack, or another blog or site could be targeted with a crafted URL.
Protection For CSRF
Web development is challenging and tedious work, and there must be loads of talent. The Open Worldwide Application Security Project (OWASP) features a web security testing guide. This resource is for web developers and security professionals.
CSRF attacks are simple to design for hackers with coding knowledge. Successful CSRF attacks are a concern when developing modern applications for stricter regulatory financial websites.
Cookie authentication is vulnerable to CSRF, so security measures such as CSRF Tokens should be used. The most widely used prevention method for CSRF is the token. Synchronizer patterns are unique, with secret values added to each request.
When users submit a form or other web form transaction requiring a cookie to be installed, the request must include an anti-CSRF token. Web applications will then verify the token’s existence and its authentication before proceeding.
It is recommended that users choose a well-tested and reliable anti-CSRF library. Well-designed tokens include quality attributes such as unique session identifiers, automatic expiration, and cryptographic security.
Always Keep Your Data Safe, Especially When In Browsers
Continue to tweak the security settings of your browser, especially the cookie delete area. Get in the habit of regularly cleaning out as many cookies as possible without jeopardizing login information to your banking and charge accounts. It may be a good idea to delete all cookies every time you log out until there is no more suspicion of attack.