CSRF : Web App Security Basics

Cross Site Request Forgery (CSRF/XSRF) also known as One-Click Attack or session riding is type of attack where unintended actions are performed by the end user on web. For example, change of email address, password change, fund transfer, etc. actions could be performed while user is currently authenticated. Attacker could get full control of application, depending upon the flaw in system.

Do you ever wonder, how websites know if it is you, when you add things in your cart or how does it distinguish between the different users because every request that goes to application is a new request. The answer is session cookies.

Session cookie contains information of the session and tracks user’s inputs and actions. It is stored temporarily and deleted after a specific period of time.

But what if these session cookies help the attacker to perform an unintended action by user. One of these attack scenario is CSRF.

Example:

Susan (victim) is currently authenticated on her banking site and attacker knows this information. Attacker sends malicious link to Susan via mail/message “jackpot lottery”. Susan being curious clicks on the link. The link opens in the same browser where she is logged in on bank site and that malicious link sends the request to the application and due to lack of security, a specific amount of money is transferred to attacker’s account.

How/Execution:

There are few factors that have to come together to execute this attack.

• The server depends on session cookie only for identifying the user who has made request and server does not check for origin of the request.
• Using skills of social engineering, attacker tricking the victim to click on malicious link while currently logged in and link/request sent from same browser.
• The malicious link/request that attacker sends to victim, has to be legitimate looking request to server.

Any HTTP request with cookie/credentials sent by victim would be considered legitimate and action would be taken on application, even when victim is sending the request on attacker’s behalf.

Despite it’s limitations, CSRF is very common attack and should be taken seriously. It was ranked 8th top attack in OWASP Top 10–2013.

Crafting HTTP request for attack:

You can manually craft HTTP request for attack but sometimes that could be time consuming. There are also some tools like OWASP CSRF Tester or CSRF PoC Generator which is in Burp Suite Professional. OWASP ZAP an open source web application security tool could be used to craft the request.

Prevention:

Below are some methods which can be used for prevention:

1. Do not use GET requests for state changing operations.
2. Usage of built-in CSRF Protection of framework.
3. Anti-CSRF tokens.
4. Double submit technique.
5. Multi-factor authentication for important change operations (ex., OTP or security questions).
6. Usage of ‘SameSite’ cookie attribute for all the session cookie.
7. Custom request headers.
8. Training and awareness.

Mistakes/Bypassing:

Below are the few mistakes in CSRF prevention implementation and attacker could bypass CSRF protection:

1. Anti-CSRF token is not unique per session or token is predictable.
2. Some applications verify CSRF token when it is present, but by removing it from request, application skips verification.
3. Application verifies CSRF token sent via POST request, but skips GET request.
4. CSRF token duplicated in ‘Double Submit’ technique.

References:

What is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security Academy

Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series

Cross-site request forgery