Blog site

Understanding Cross-Site Request Forgery (CSRF) Attacks

Cross-site request forgery (CSRF), also known as session riding, is a type of cyberattack in which authenticated users of a web application are forced to submit malicious state-change requests created by an attacker. CSRF attacks can:

  • Edit target records in an application
  • Submit a transaction
  • Buy products using target details
  • Change passwords
  • Edit registered email addresses in a web application
  • Send messages under the target’s name
  • Funds transfer

In some cases, a CSRF attack can give hackers full access to a target’s accounts in the web application. If the targeted person is in a privileged or controlling position within the web application, the attacker can further exploit the vulnerability to take control of the application and its data, which means that the CSRF defense is an element key to a company’s cybersecurity.

For businesses, CSRF defense represents an area of ​​cybersecurity that deserves attention and investment due to the risk of attackers gaining access to company accounts and funds by submitting malicious requests that modify user accounts. For example, in early 2021, WordPress discovered that one of its plugins contained an embedded CSRF vulnerability that affected over 50,000 sites (Chamberland, 2021). The vulnerability allowed attackers to inject malicious JavaScript into websites via the plugin, which the attackers then used to force site users to open malicious links or attachments embedded in the affected sites.

How do cross-site request forgery attacks work?

CSRF attacks often rely on social engineering methods to convince their targets to click on a malicious URL. Once a user clicks on the link, which contains an unauthorized request for a specific web application for which the user has authentication, the user’s browser sends this request to the target application (Synopsys, 2021).

Since the request also includes all relevant credentials, such as user session cookies, the application treats the new request as an authorized request sent by the user. Therefore, a CSRF attack allows cybercriminals to bypass a web application’s authentication process by attacking sites that fail to differentiate between valid and spoofed requests. Effective CSRF mitigation techniques aim to prevent attackers from bypassing authentication measures with this method.

For a CSRF attack to be successful, three essential conditions must be met (PortSwigger, 2021):

  • There is a desirable action the attacker wants to perform, such as changing a password or transferring funds.
  • Cookie-based session management is in place to identify the user.
  • There are no unpredictable request parameters that the attacker is unable to determine or guess, such as needing to know an existing password to create a new one.

If these three conditions are met, an attacker can successfully craft a malicious request into a forged URL or link and convince a user to open the link while in an active session with the target web application. CSRF mitigation normally involves modifying the second or third condition in this list to prevent attackers from using cookie session data to bypass authentication processes or introduce unpredictable query parameters that attackers cannot. to guess.

Prevention, mitigation, and defense against cross-site request forgery

There are three basic approaches you can apply to your application’s CSRF mitigation strategy to prevent CSRF attacks and eliminate vulnerabilities (Demir, 2020):

  • Use of CSRF tokens in HTML forms for critical operation requests in applications
  • Avoid using the HTTP GET method for critical operations, such as create, update, and delete actions
  • Using the “SameSite” attribute of the “Set-Cookie” HTTP response header

Cross-site request forgery tokens

CSRF tokens, or challenge tokens, are the most common method of CSRF mitigation. These tokens provide a way for applications to distinguish between a request that was legitimately generated from a user’s interface and one that was not, such as in the case of a CSRF attack.

CSRF tokens consist of large random values ​​unique to each user session and are inserted into user-side and server-side HTML forms. All requests generated by the user’s browser must contain the CSRF token. This allows the application server to verify that a request is genuine, as a CSRF attack cannot access token information in HTML (Synopsys, 2021).

SameSite cookie attribute

The SameSite attribute of the Set-Cookie HTML response header is intended to prevent CSRF attacks by helping browsers decide when to send cookies with cross-site requests, as cookie data can allow CSRF attackers to bypass authentication process (OWASP, 2021). Users can choose between “Lax” and “Strict” attribute values, which respectively allow or block session cookies when arriving from external websites or when browsers encounter typical request methods subject to CSRF.

EC-Council Web Application Hacking and Security Certification

If you’re a cybersecurity professional looking to learn the tools to prevent CSRF attacks, consider earning a certification in Web Application Hacking and Security (W|AHS). EC-Council’s W|AHS course is a specialized web application security certification that builds on the challenges presented in other industry-respected EC-Council certification courses, such as the Certified Ethical Hacker ( C|EH) and Certified Penetration Testing Professional (C|PENT), to develop your practical knowledge of how to handle advanced web application cyberattacks.

The W|AHS certification teaches advanced hacking and web security skills, covering CSRF defense, SQL injection vulnerabilities, directory browsing vulnerabilities, and 27 other hacking and web security topics. You’ll also be able to put what you’ve learned to the test with a series of “Break the Code” challenges modeled on real-life scenarios, giving you valuable hands-on experience. Learn more about the W|AHS course here and contact EC-Council to get certified today!