Cross-Site Request Forgery also known as CSRF, XSRF, sea surfing, the one-click attack is another common web application web vulnerability. It tricks the user’s web browser to do the things it doesn’t intend to do.
The attacker tricks the victim browser into generating requests to a website that performs certain actions on behalf of the user logged in. It is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.
Basically, CSRF is an attack which forces authenticated user of the web to send a malicious web request.
There CSRF can be of any type, but the primary types are
- POST Request Based
- GET request Based
- JSON request
How CSRF works?
Let’s see how this CSRF attacks works in web browser.
Consider a bank web application which sends money to other user using there usernames.
Consider the following URL is making request to a web application to transfer the funds to other account.
http://indiabank.com/transfer.do?acc=personA&ammount=$100
The hacker might create a malicious script to transfer the money to their account.
Now the URL will look like this
http://indiabank.com/transfer.do?acc=attacker&ammount=$100
Now, the hacker can just add some code and use some social engineering to let you click on the link.
For exmaple.
<a href = http://indiabank.com/transfer.do?acc=attacker&ammount=$100>Please click me!</a>
Now, If anyone clicks on PLEASE CLICK ME! button end up initiating a 100 dollar transfer to attackers account.
This is a basic example of Cross-site request forgery attack.
Let’s do a quick CSRF attack using the DVWA ( Damn vulnerable web application ) as we have used it in the previous blog for cross-site scripting attack.
This is how the home page for testing CSRF looks like on DVWA.
Here, we have to change our admin password.
So, let’s just do some recon on how the URL looks if we change the password or what GET request it will send.
As you can see the web app is sending a GET request to change the password.
So now I, the hacker will create a malicious website to trick the admin to change the password that I know. Let’s make one.
So that now hacker have created a decent website and when the victim loads the webpage the password will change to whatever hacker wants.
This is the code of the website, Here you can see there is img tag with the malicious link which will change the victim’s password to ‘hacked’.
This is how a basic CSRF is performed.
Impact of CSRF
The impact of CSRF is very high on an individual or organization. If the one who caught in CSRF is the normal person (s)he could end up losing all the personal account and data, and if the person is admin of and organisation the whole organization is going to be compromised with just a small and lethal CSRF vulnerability.
How to Prevent CSRF?
- Always use an anti-csrf token on your website.
- Use Samsite cookie attribution to send cookie.
- Use authentication for sensitive action.
- Always be aware of new types of attacks and forgery
for more go to our blogs
