Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Cross-Site Request Forgery 😈

What CSRF is, how it’s done, and how you can prevent it

Martin Thoma
InfoSec Write-ups
Published in
5 min readFeb 9, 2021

--

Photo by Michael Geiger on Unsplash

Cross-Site Request Forgery (short: CSRF or XSRF) is an attack that makes the victim's browser execute a request to a website where the victim has interesting privileges. It’s sometimes pronounced “sea surf” or called “session riding”. A CSRF attack could make your browser transfer money from your bank to the attacker, buy something for the attacker in an online store, connect in a social network, like a product/Tweet/post, and many other things.

Let’s learn what CSRF is done and how it’s prevented!

Why you should care

Similar to SQL Injections, you can defend perfectly against CSRFs if you know that it is an issue. However, if you are not aware of the problem, you might also not take any measures against the attack.

  • CSRF was #8 in OWASP Top-10 2013 and #5 in 2010.
  • 2008: Netflix was vulnerable to CSRF attacks (source)
  • 2016: AVM FritzBox was vulnerable to CSRF attacks (source)
  • 2019: www.cert-bund.de was vulnerable to CSRF attacks (source, source 2). This is an organization of the German government which is related to IT security.
  • 2019: SupportAssist by Dell was vulnerable to CSRF attacks (source)
  • 2020: Austrian mobile internet providers (Drei, Yesss) were vulnerable to CSRF attacks (source)
  • 2020: Meetup.com was vulnerable to CSRF (source)

How it works

Websites need a way to authenticate. When you log in, your browser stores some session information to prevent that you have to enter your username and password with every single request. It’s typically stored as a cookie. Let’s just call that part “session context”. The session context is automatically sent with every request your browser makes.

Let’s make an example attack. You are a loyal customer of bank.com. You’re logged in pretty much all the time. The attacker created a malicious website attack.com and tricked you to visit it. When you visit attack.com, your browser executes the JavaScript on it automatically. It also downloads all images. The attacker told your browser to call

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 1 day ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Martin Thoma
Martin Thoma
Follow

Written by Martin Thoma

6.5K Followers
42 Following

I’m a Software Engineer with over 10 years of Python experience (Backend/ML/AI). Support me via https://martinthoma.medium.com/membership

Follow

No responses yet

Write a response

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech