Cross Site Request Forgery Attack is also known as CSRF or XSRF in short. Do not confuse it with Cross Site Scripting attack because it is totally different from that. Like SQL injection and XSS, CSRF is also one in top 10 OWASP web vulnerabilities for many years.
What is Cross Site Request Forgery Attack?
Cross Site Request Forgery or CSRF is an attack method in which attacker exploit users' active session in the browser without the permission of innocent user. By using victim's browser session, attacker sends valid requests to a website that perform some action in users' account. User will not be able to know that the request has been sent from his browser. An Attacker uses some third party innocent websites to generate these valid requests from user’s browser.
EX: If a form on a website can also be submitted from some other website, It is vulnerable to CSRF. Suppose there is a form on a vulnerable website
<form action=”action.php” method=”post”>
And I made a duplicate form on my local host
<form action=” http://www.vulnerablesite.com/action.php” method=”post”>
I am able to submit the form by using the form on my localhost, the website is vulnerable to the CSRF attack This attack uses user's session to perform malicious task, so it is also known as "Session Riding attack." Sometimes it is hard to understand how this attack works in real life. So I am explaining it with the help of a example.
Suppose if an online payment website like Paypal has CSRF vulnerability. Attacker A want to exploit CSRF vulnerability of this website and attack on victim B. For this he use some third party website. Innocent User B login into his account to do check the balance and then switch to a new tab without logging out from the older tab. Session is active on the browser.
Attacker A had posted a link or image in a website that on load submits the payment transfer form to transfer money to the attacker's account by using active session. As the request came from user's browser by his session, CSRF vulnerable website will transfer the fund.
How CSRF is different from XSS
Many people have confusion inn between CSRF and XSS attack. In XSS, attacker exploit the trust of users on website. So we inject malicious script and user believes on it just because he see a valid website URL. Unlike XSS, in CSRF attacker exploits the website's trust on the browser. In this, a website thinks tha a request camre from the user's browser is made by user itself.
Both vulnerabilities are dangerous enough.
Protection against CSRF attack:
Many people thinks that limiting against XSS also limits CSRF. But this is not true. We have to make so many things to limit the attack.
There are many ways to protect the CSRF attack. Some important ways are given below:
- Checking the HTTP Referrer header website. If it is a different domain, deny the request.
- Limiting the lifetime of authentication cookies. If user is inactive for some fixed time, the session must be expired.
- Limit the damage by authenticating each request made by user.
- Use of random token for each session
Deepanker Verma is a security researcher and tech blogger. You can read his security blog at HackingTricks.