Cross — Site Request Forgery (CSRF)

These attacks are also known as “Session Riding” or “One — Click Attack”. This is a malicious exploit type of attack against web application users. Simply, this attack allows the attacker to perform unauthorized GET / POST (HTTP) requests on behalf of the victim authenticated to the site.

Requirements

In order to carry out CSRF attacks, some conditions have to be fulfilled:

• The target website does not check the Referer HTTP header (accepts requests from external pages).
• The website accepts data modification via form submissions or URLs.
• The attacker can determine all input request values (e. g., authentication is done via a session cookie).
• The victim must load a malicious page containing the attacker’s code.

An Example Scenario

Assume there is a social media platform called “MeetFriends”. In this scenario, the attacker studies this web application and comes up with a forged application that appears to be quite legitimate. Assume that the site uses session IDs to uniquely identify authenticated users. Note that the session ID along with the session cookie, will be stored at the browser’s cookie storage.

Suppose that MeetFriends uses a GET request to add a new friend. Then, the URL would look like: http://www.meetfriends.com/users/addfriend?id=NewFriendID

In the MeetFriends user interface, simply the Add Friend button being clicked will trigger the above URL and add the new friend. However, an attacker could use a URL shorter and hide the above URL to a website LatestNews, https://en.latestnews.com/today that provides news. So, now when the user clicks on this news website, the browser unintentionally adds a new friend to the user’s MeetFriends account. Here, the user was tricked into performing an unwanted action and this whole procedure is known as “Cross-Site Request Forgery”,

• The names of the above sites are all imaginary.*

Prevention

There are two major security patterns that can be implemented to prevent CSRF attacks:

These two security patterns will be discussed in the next blog posts.

Continue Reading

Synchronizer Token Pattern (STP): Synchronizer Token Pattern (STP). In my previous post, I explained what… | by Himashi Karunathilake | Medium
Double Submit Cookie Pattern: Double Submit Cookie Pattern. In one of my previous posts, I… | by Himashi Karunathilake | Medium

This assignment was done as a part of the assignment submission for the 2nd Year — 2nd Semester Web Security (WS) module of Sri Lanka Institute of Information Technology (SLIIT).

Originally published at http://mysnowfrostpersonal.wordpress.com on October 11, 2019.