Cross Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) happens when one can take the visitor's session like authenticated cookies and use it to send request to the origins. The origins however does not verify the identity of the request and hence serves the it. Hence, it is a security vulnerability.

Description

The idea happens during form submission. Normally, origin server receives inbound data requests like POST without in-depth checking about the requester. Also, there isn't a direct 2-ways approach to verify the data origins.

The authenticated tokens, usually in a form of cookie, is easily extractable from browser. Once the attacker extract the list of authenticated tokens, he/she can build a session using those. This is known as "session fogery", in which the attacker has successfully forged the user's login session.

With the forged session ready, the attacker can now send a request to the origin server as if the user, such as "buy" then "pay" requests. Since server has no way to identify request origin, it assumes the requests are genuine from users.

Although the credential tokens extraction is commonly practiced using XSS approach, the extraction can be done in various means not limited to backdoor, background lurking, etc approaches. Hence, never assume CSRF is only limited to XSS.

Potential Attacking Models

Business Logic Hijacking

Damage upon users' values transactions, examples:

  1. buying something on behalf and delivers the goods to the attacker instead
  2. hijacking social media's posting, damaging user's reputation
  3. deleting data, sabotaging user accounts and access
  4. alter user access credentials, denying user access

Best Practices

  1. VALIDATE INPUTS AND REQUEST ORIGINS. Never trust users' input, including authenticated users.
  2. COMPLY TO PREVENTION GUIDELINES. Available at OWASP: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  3. TRACK AND VERIFY REQUEST HEADERS. This is a second mechanism, if resources permitted.