4️⃣Cross-Site Request Forgery (CSRF)

Dive into this comprehensive article exploring Cross-Site Request Forgery (CSRF) - a key web security vulnerability. Learn CSRF basics, defense mechanisms, and impact on website security.

What is Cross-Site Request Forgery (CSRF)?

Cross-Site Request Forgery (CSRF), also known as XSRF, is a type of security vulnerability that occurs when a malicious website, email, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

How Does CSRF Work?

The attack works by including a link or script in a page that accesses a site to which the user is authenticated. If the user is authenticated to the site, the site trusts the user and the user's browser, so no distinction between the attacker's requests and the user's requests can be made.

Example of a CSRF Attack

Imagine a situation where a user is logged into their bank's website and they navigate to a different site that contains a hidden form designed to transfer money from the user's account to the attacker’s account without the user's knowledge.

Preventing CSRF Attacks

To protect against CSRF attacks, websites use anti-CSRF tokens, where a random token is generated and verified with each request. SameSite cookies attributes and proper CORS policies are also effective in mitigating CSRF risks.

// WARNING: This is an example of what NOT to do as it's a security risk.
// Do NOT use this code in any production environment.

// Simulated malicious JavaScript that could be used in a CSRF attack
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://www.examplebank.com/transfer", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
var requestBody = "amount=1000&destinationAccount=attacker";
xhr.send(requestBody);

// Example of an HTML form that could be used in a CSRF attack
// WARNING: This is for educational purposes only.
<html>
  <body>
    <h1>You've won a prize! Click the button to claim!</h1>
    <form action="http://www.examplebank.com/transfer" method="POST">
      <input type="hidden" name="amount" value="1000" />
      <input type="hidden" name="destinationAccount" value="attacker" />
      <input type="submit" value="Claim Prize!" />
    </form>
  </body>
</html>

// Example CSRF token implementation snippet
// Include this in a secure, server-side application only.

// Generate a CSRF token
function generateCsrfToken(session) {
  // Token should be large and random to prevent guessing attacks
  var token = require('crypto').randomBytes(64).toString('hex');
  // Store the CSRF token in the user's session for validation of subsequent requests
  session.csrfToken = token;
  return token;
}

// Inject the CSRF token as a hidden field in a form
<form action="/process" method="post">
  // Assuming `csrfToken` is available in the context
  <input type="hidden" name="_csrf" value="<%= csrfToken %>">
  // The rest of your form fields go here
</form>

PreviousCross-Site Scripting (XSS) Attacks NextRemote Code Execution (RCE)

Last updated 1 year ago

Was this helpful?