A CSRF (Cross-Site Request Forgery) attack is a type of security vulnerability that tricks a user into performing actions on a website or web application without their knowledge or consent. This type of attack takes advantage of the trust a website has in the user's browser.
How CSRF Works:
- Victim logged in: The victim is authenticated and logged into a web application (e.g., a banking website).
- Malicious website: The attacker creates a malicious website or web page that includes a hidden request, such as a form submission, image, or a link, targeting the victim's authenticated session.
- User visits malicious site: The victim, still logged in to the original application, unknowingly visits the attacker’s malicious website.
- Request sent automatically: The malicious site sends a request (such as transferring money, changing account settings, etc.) to the target website on behalf of the victim, using the victim’s session.
- Action executed: The target website processes the action, assuming it is a legitimate request from the victim, and performs it (e.g., transferring money, changing the password).
Example Scenario:
- A user is logged into their banking account and has an active session.
- They unknowingly visit a malicious site, which sends a request to transfer money from the user's account to the attacker’s account.
- Since the user is authenticated, the bank processes the request, and the money is transferred without the user’s knowledge.
CSRF Attack Mechanisms:
- The attacker might exploit a GET or POST request, tricking the victim’s browser into sending it.
- This attack can be hidden in various forms, such as in an image
<img>
tag, a form<form>
submission, or a request triggered by JavaScript.
Protection Against CSRF:
To prevent CSRF attacks, websites use several techniques:
- CSRF Tokens: A unique token (often random) is generated by the server and included in forms or URLs. When a form is submitted, the server checks if the token matches the one sent with the request. If not, the request is rejected.
- SameSite Cookies: This cookie attribute restricts how cookies are sent with cross-site requests, preventing the browser from sending authentication cookies in unauthorized requests.
- Referer and Origin Header Validation: Websites can validate the
Referer
orOrigin
HTTP headers to ensure that the request originated from the same domain. - Captcha: Using Captcha systems in sensitive actions (like fund transfers or password changes) can help prevent automated CSRF attacks, as the attacker cannot bypass the CAPTCHA.
Types of CSRF Attacks
- GET-based CSRF: The attacker tricks the victim into making a GET request to a vulnerable web application, such as by embedding an image, script, or hyperlink in a malicious site.
- Example:
<img src="http://example.com/transfer?amount=1000&to=attacker_account">
- POST-based CSRF: The attacker uses a POST request to send data to the target site, often through a hidden form submission. This is more dangerous since POST requests can modify data.
- Example: Hidden HTML form submission with a predefined action and data:<form action="http://example.com/transfer" method="POST"><input type="hidden" name="amount" value="1000"><input type="hidden" name="to" value="attacker_account"></form>
- Example: Hidden HTML form submission with a predefined action and data:
Tools to Test CSRF Vulnerabilities
Several tools and frameworks can help developers test for CSRF vulnerabilities in their applications:
- OWASP ZAP (Zed Attack Proxy): A popular security testing tool for web applications that can be used to identify CSRF vulnerabilities.
- Burp Suite: A widely used security testing suite that can scan for and help mitigate CSRF vulnerabilities.
- CSRFTester: A specialized tool for testing CSRF vulnerabilities in web applications.
In essence, CSRF exploits the trust a website has in the user, while other attacks like XSS (Cross-Site Scripting) exploit the trust a user has in a website.