What is CSRF and how to prevent it.
Hello, amazing hacker, Myself Gaurav Raj, am just a curious cybersecurity student, so today in this article we are going to see What is CSRF Attack and How we can prevent it.
CSRF stands for Cross-Site Request Forgery, and it is a type of security vulnerability or attack that can occur in web applications. In a CSRF attack, an attacker tricks a user into unknowingly making an unwanted request to a different website where the user is authenticated. This can lead to actions being taken on the user’s behalf without their consent.
Let’s take an example, Image there is a website where you can update your email address. If the website is vulnerable to CSRF, what an attacker or a malicious user will do is, he’ll then craft a malicious request to update the email address on the vulnerable website. Then the attacker hosts this malicious request on a website, in an email, or anywhere they can get you or other users to click on it using phishing campaigns, any tricks, or tactics. Now when you or any other authenticated user clicks on this malicious link while logged in to his account on the website, the intended action (changing the email address) is carried out using your authenticated session leveraging your saved session token or any other cookies that helps you to authenticate on the vulnerable website. This happens because the vulnerable website trusts the user’s session and processes the request without any additional verification.
Okay, but it’s just an email address what can happen, At worst you can lose access to your account but that seems minor to you. Let’s change the website to a banking website that is vulnerable to CSRF, and you get tricked or convinced to click on the malicious link, and before you realize your mistake, all of a sudden your bank account is blank. Everything you had was transferred from your account to another. Yup, the attacker or the malicious user crafted the malicious request, used any of the tactics mentioned earlier, and tricked you into clicking the link and your account is blank now. So now we know what is CSRF.
Let’s take a look at how a CSRF attack works:
- Authentication: The victim user is authenticated (logged in) to a website, such as their online banking account or a social media platform, and they have an active session.
- Malicious Link or Code: The attacker or threat actor convinces the victim to click on a malicious link or visit a website that contains malicious code, often through email, social engineering, or other means.
- Unintended Action: When the victim visits the malicious website or clicks the link, their browser sends a request to another website where the user is authenticated, such as changing their email address, and password, or initiating a financial transaction.
- Unauthorized Action: Since the user is already authenticated on the target website, the request is processed as if it came from a legitimate user. This means that the attacker can carry out actions on the user’s behalf without their knowledge or consent.
CSRF attacks can have serious consequences, such as changing account settings, making unauthorized transactions, or performing actions that could compromise the user’s security or privacy.
While I was learning about CSRF attacks and prevention methods, there was a question in my mind, why tokens? I mean is it that important, I mean the CSRF token can be bypassed due to poor implementation, So why we can’t just use the existing security headers or cookie protections. I mean look at it from a developer’s point-of-view, it would be much easier to use existing headers or features of HTTP itself, instead of developing or implementing the complete token validation function.
One of the most common reasons for the occurrence of these types of vulnerabilities is poor implementation. In my opinion, there’s one reason behind that, let’s say I’m a cyber security student but I do know about Full-Stack Web Development, but full-time I’m a cyber security student, not a Software Developer so I can’t be as good as someone who is a full-time Software Developer, So that’s also the other way around, The full-time Software Developer is not aware of the security concepts in depth, so because of that reason there are security loopholes in the implementation of the functionality. Also, there is a practice called secure coding in which programming or development is taught with the proper security practices but at least for now, there are not many developers who can do secure coding that much.
So why can’t we just use HTTP headers like SameSite or Content Security Policy to prevent CSRF attacks?
So the SameSite security header is primarily designed to restrict cookies from being sent with cross-origin requests originating from site A, not to prevent requests coming from other sites like (like site B) to site A. It focuses on controlling the behavior of cookies in the user’s browser. As we know from earlier CSRF attack’s malicious request originated from site B to site A (vulnerable site) which renders the SameSite security header worthless.
while The Content Security Policy (CSP) header is primarily designed to control which domains can execute scripts or load resources on a web page. The CSP helps the site to apply Script Source Restrictions, Limiting Inline Scripts or Blocking Untrusted Sources for loading any scripts. but also in this case The CSRF doesn’t use or rely on any type of scripts, I mean it can leverage scripts to execute these attacks but it doesn’t rely on them, So this also renders the restrictions worthless.
Also, Session tokens or cookies are used to authenticate a valid user and maintain their session state on a website. It helps ensure that the user is who they claim to be during their session. while CSRF Token (Anti-CSRF Token) is used to authenticate the source of a request, ensuring that it comes from an intended and legitimate source. CSRF tokens help verify the authenticity of a request and prevent unauthorized actions, even if the user is already authenticated.
So to prevent CSRF (Cross-Site Request Forgery) attacks, one should implement a combination of security measures.
- Use Anti-CSRF Tokens
- Set Appropriate SameSite Cookie Attributes
- Implement Proper Authentication and Authorization
- Educate Users
- Implement Cross-Origin Request Policies
- Implement Strong Session Management
- Regularly Update and Patch
- Conduct Security Audits and Testing
- Monitor and Log
- Follow Security Best Practices
By combining these preventive measures, one can significantly reduce the risk of CSRF attacks and enhance the overall security of your web application.
So by this far, we know about CSRF attack and prevention methods, in the next post, we will see about how we can bypass and execute CSRF attack ethically, until then keep hacking… 🤗
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⠶⠶⠶⠶⢦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠛⠁⠀⠀⠀⠀⠀⠀⠈⠙⢷⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⢷⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡾⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡾⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⣀⣀⣀⠀⠀⠀⠀⠀⠀⠀⠸⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀⣠⡴⠞⠛⠉⠉⣩⣍⠉⠉⠛⠳⢦⣄⠀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⡀⠀⣴⡿⣧⣀⠀⢀⣠⡴⠋⠙⢷⣄⡀⠀⣀⣼⢿⣦⠀⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣧⡾⠋⣷⠈⠉⠉⠉⠉⠀⠀⠀⠀⠉⠉⠋⠉⠁⣼⠙⢷⣼⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢻⣇⠀⢻⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⡟⠀⣸⡟⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣹⣆⠀⢻⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡟⠀⣰⣏⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣴⠞⠋⠁⠙⢷⣄⠙⢷⣀⠀⠀⠀⠀⠀⠀⢀⡴⠋⢀⡾⠋⠈⠙⠻⢦⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠋⠀⠀⠀⠀⠀⠀⠹⢦⡀⠙⠳⠶⢤⡤⠶⠞⠋⢀⡴⠟⠀⠀⠀⠀⠀⠀⠙⠻⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⣼⠋⠀⠀⢀⣤⣤⣤⣤⣤⣤⣤⣿⣦⣤⣤⣤⣤⣤⣤⣴⣿⣤⣤⣤⣤⣤⣤⣤⡀⠀⠀⠙⣧⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⣸⠏⠀⠀⠀⢸⡇⠀⠀⠀⠀⠀⠀⠀⢠⣴⠞⠛⠛⠻⢦⡄⠀⠀⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠸⣇⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢠⡟⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⠀⠀⠀⣿⣿⢶⣄⣠⡶⣦⣿⠀⠀⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⢻⡄⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⣾⠁⠀⠀⠀⠀⠘⣇⠀⠀⠀⠀⠀⠀⠀⢻⣿⠶⠟⠻⠶⢿⡿⠀⠀⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⠈⣿⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢰⡏⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⢾⣄⣹⣦⣀⣀⣴⢟⣠⡶⠀⠀⠀⠀⠀⠀⣼⠀⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⠀⠈⠛⠿⣭⣭⡿⠛⠁⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⠘⣧⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⠀⠀⢿⡀⠀⠀⠀⠀⠀⠀⣀⡴⠞⠋⠙⠳⢦⣀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⢰⡏⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠈⢿⣄⣀⠀⠀⢀⣤⣼⣧⣤⣤⣤⣤⣤⣿⣭⣤⣤⣤⣤⣤⣤⣭⣿⣤⣤⣤⣤⣤⣼⣿⣤⣄⠀⠀⣀⣠⡾⠁⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠈⠉⠛⠛⠻⢧⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠤⠼⠟⠛⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⣷⣶⣶⣶⣶⣶⣶⣿⣷⣶⣿⣿⣾⣿⣶⣶⣿⣿⣷⣿⣿⣿⣿⣿⣿⣾⣿⣿⣿⣿⣷⣷⣿⣷⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶⣶
⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣷⣶⣿⣿