Security Risk—CSRF
Learn about the CSRF vulnerability by examining a real-world example, and explore what CSRF is and how to protect against it.
Introduction to CSRF
In our exploration of web security challenges, we often encounter Cross-Site Request Forgery, commonly known as CSRF. This malicious exploit tricks web users into performing unwanted actions on a web application in which they’re authenticated without their knowledge or consent.
By leveraging the trust a site has in the user’s browser, attackers can execute harmful actions on behalf of an unsuspecting user. It’s imperative for us to understand and guard against CSRF, as such attacks can lead to unauthorized data changes, potential account breaches, and other unintended consequences in web applications we interact with or develop.
Imagine that we’re logged into our bank’s website in one tab. Concurrently, we have another tab open where we’re surfing through a seemingly harmless website filled with cute kitten photos. Little do we know that this innocent-looking website is the mischievous entity in our plot.
Here is how a CSRF attack will take place:
The attacker discovers a CSRF vulnerability in our application, where our site trusts the user too much and doesn’t verify if requests were intended by the user.
They craft a malicious website or script that, upon loading, automatically sends a forged request to our application (like a fund transfer or password change) using the victim’s credentials if they are logged into our site.
An unsuspecting user visits the attacker’s crafted website or loads the malicious script. Without the user’s knowledge, this script sends the forged request to our application.
Our application, thinking that the request is legitimate because it comes from a logged-in user, executes the request. This can lead to unauthorized actions being performed, like changing user details, transferring funds, or altering permissions.
The vulnerability
For example, a website may have a hidden form or script that issues a request to our bank’s website. Something like:
<img src="http://our-bank/transfer?to=attacker&amount=1000" width="0" height="0" border="0">
This line of code tries to make a transfer to the attacker’s account. Because our browser is logged into our bank’s website, it would include our session cookie with the ...