Day 18 - Monday, January 18, 2021

This is the third post on WebSecurity, First being on XSS or Cross-Site Scripting, Second on SQL-Injection and in this one I will answer the question on What is CSRF or Cross-Site Request Forgery.

So what is CSRF?

Cross-Site Request Forgery is a type of web-attack in which the user is tricked into submitting a form that they do not intend on a website to which they have privileged access to.

Here is the difference between XSS and CSRF explained on Wikipedia's Article on CSRF: "Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser"

How does CSRF works? Consider a website some-site.com, you visit the website and signup for the account and the website will store the cookies related to you on your computer. Now everytime you perform some activity on that website the browser the automatically send the cookies stored by that website to its backend server with the request about the activity you made.

After that you visit a another website, a bad website like bad-site.com, now this website will use your cookies stored by some-site.com and send the request to that some-site.com's backend server which will authenticate that it is you after receiving the cookies containing your data, it will perform that action that the bad-site wanted to execute.

Another example would be that you are authenticated on your bank's website and after that visits another website which can perform a CSRF attack. That site can then use cookies stored by your bank's site and can do stuff like transferring money from your account to another account etc. without you ever knowing what is happening. Some sites can even perform the attack after they are completely loaded.

<body onload="document.getElementById('someForm').submit()">
  ...
  <form id="someForm" action="http://yourbank.com/transfer_amt" method="POST">
    <input type="hidden" name="account" value="Name" />
    <input type="hidden" name="amount" value="10000" />
  </form>
</body>

What can be done to prevent CSRF atttacks?

1. Using Same-Site Cookie Attribute for cookies
2. Not using GET requests for state changing operations
3. Check if the framerwork you are using have some kind of CSRF-Preventaiton already built into it and use it.

What I Learned Today

💻 Programming

• CSRF - Cross-Site Request Forgery - Following are some sources about CSRF-attacks and preventions techniques from the web

  • CSRF Introduction and what is the Same-Origin Policy? - web 0x04
  • Cross Site Request Forgery - Computerphile
  • Cross-Site Request Forgery (CSRF) Explained
  • Web Security: How to Harden your HTTP cookies
  • Cross-Site Request Forgery Prevention Cheat Sheet
  • Cross Site Request Forgery (CSRF)

🗾 Langauge[日本語]

• この辺 (このへん) Around Here. 辺: Area.
• 教室 (きょうしつ) ClassRoom. 教: Teach, 室: Room.
• 自由 (じゆう) Freedom. 自: Self, 由: Wherefore.
• 同時 Same Time. 同: Same, 時: Time.