Cross-Site Request Forgery (CSRF)

Description

Cross-Site Request Forgery (CSRF) is a vulnerability which allows attacker to perform some unintended action in some web-application with the victim has an active session(logged in).

An attacker tricks the victim into submitting some malicious requests (state-changing requests like money transfer, password change, etc.) to the website with the user's active session. As the request is sent from the user's browser, There is no way for the attacker to respond to such forged requests.

Whenever there is a new request to any website, the browser adds session cookies of the same site, if present.

Example

Consider an example: When you transfer the amount 1001 INR to Account Number 9075329437 using online banking.

Browser internally send this request to bank server with you session-cookie https://www.yourbank.com/sendMoney.php?to=9075329437&amount=1001

If attacker change Account Number 9075329437 to his account number 9999999999 and amount to anything he wants like 9999 and send you to link in the mail as, https://www.yourbank.com/sendMoney.php?to=9999999999&amount=9999

You will not click on this link! As from this link, it looks, it will transfer money.

Now, attacker use CSRF to send this request from your browser. The attacker creates somewebsite.com, which attracts you, like lucky draw, or free iPad offer. He will add that malicious request as,

<img src="https://www.yourbank.com/sendMoney.php?to=9999999999&amount=9999" width="0" height="0" border="0">

When the victim visit somewebsite.com, browser will try to render this image, and so it will send that forged request to the bank server, And your money will get transferred!

  • Similarly, CSRF can be done on Password Reset request(Possible only if the server is not validating current password)
  • To forge the POST request, exploitation is different.

Impact

  • The impact of CSRF mainly depends on request that can be forged.
  • Forged Password Update request will lead to a takeover account.
  • If the victim is a privileged user like admin, then CSRF will have a large impact.

Prevention

  • Implement Anti-CSRF token, which is random, unique for each request, and validates at the server before acting. An attacker can not read anti-csrf token as SOP(Same Origin Policy) will not cross-origin read.
  • Use SameSite: strict cookie attribute, which will send cookie only on same-origin request.
  • Validate X-Requested-With and Origin header (if present).

Tools

  • XSRFProbe: CSRF Audit and Exploitation Toolkit.
  • Bolt : CSRF Sacnner