Cross-Site Request Forgery(CSRF) | Web App Vulnerability

Cross-Site Request Forgery also known as CSRF, XSRF, sea surfing, the one-click attack is another common web application web vulnerability. It tricks the user’s web browser to do the things it doesn’t intend to do.

The attacker tricks the victim browser into generating requests to a website that performs certain actions on behalf of the user logged in. It is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.

Basically, CSRF is an attack which forces authenticated user of the web to send a malicious web request.

There CSRF can be of any type, but the primary types are

  1. POST Request Based
  2. GET request Based
  3. JSON request

How CSRF works?

Let’s see how this CSRF attacks works in web browser.

Consider a bank web application which sends money to other user using there usernames.

Consider the following URL is making request to a web application to transfer the funds to other account.

http://indiabank.com/transfer.do?acc=personA&ammount=$100

The hacker might create a malicious script to transfer the money to their account.

Now the URL will look like this

http://indiabank.com/transfer.do?acc=attacker&ammount=$100

Now, the hacker can just add some code and use some social engineering to let you click on the link.

For exmaple.

<a href = http://indiabank.com/transfer.do?acc=attacker&ammount=$100>Please click me!</a>

Now, If anyone clicks on PLEASE CLICK ME! button end up initiating a 100 dollar transfer to attackers account.

This is a basic example of Cross-site request forgery attack.

Let’s do a quick CSRF attack using the DVWA ( Damn vulnerable web application ) as we have used it in the previous blog for cross-site scripting attack.

cross site request forgery

This is how the home page for testing CSRF looks like on DVWA.

Here, we have to change our admin password.

So, let’s just do some recon on how the URL looks if we change the password or what GET request it will send.

As you can see the web app is sending a GET request to change the password.

So now I, the hacker will create a malicious website to trick the admin to change the password that I know. Let’s make one.

So that now hacker have created a decent website and when the victim loads the webpage the password will change to whatever hacker wants.

This is the code of the website, Here you can see there is img tag with the malicious link which will change the victim’s password to ‘hacked’.

This is how a basic CSRF is performed.

Impact of CSRF

The impact of CSRF is very high on an individual or organization. If the one who caught in CSRF is the normal person (s)he could end up losing all the personal account and data, and if the person is admin of and organisation the whole organization is going to be compromised with just a small and lethal CSRF vulnerability.

How to Prevent CSRF?

  1. Always use an anti-csrf token on your website.
  2. Use Samsite cookie attribution to send cookie.
  3. Use authentication for sensitive action.
  4. Always be aware of new types of attacks and forgery

for more go to our blogs

Share the Post...
WhatsApp

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

CSEP : Certified Security Engineer Professional

Certified Security Engineer Professional (CSEP) certification is a comprehensive program designed for individuals aspiring to become cybersecurity engineers. It equips candidates with hands-on knowledge across various in-demand cybersecurity domains, ensuring they are well-prepared for current and future industry needs.

Organizations today seek candidates with a diverse set of skills beyond just one tool or area of expertise. The CSEP certification addresses this need by providing essential hands-on experience, making you proficient in multiple cybersecurity domains.

The program includes live classes featuring practical exercises, followed by a real-time project that offers valuable industrial knowledge.

Domains covered in the CSEP certification:

  • Cybersecurity Essentials
  • Penetration Testing
  • Application Security
  • Security Operations
  • AI in Cybersecurity
  • Multi-Cloud Security
  • Threat Intelligence

 

This certification is ideal for those looking to secure a role as a cybersecurity engineer and want to gain a competitive edge in the cybersecurity field.

For Further kindly feel free to fill out the profile form  for relevant information on our counselor will get in touch with you

Sign up for our Newsletter

Interested in Cyber Security Training Program 2024 – Click Here
Open chat
1
Hello 👋
How can we help you?