Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection
Cross-Site Request Forgery Attacks
Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in browser email clients, online banking, and web interfaces for network devices.
Key Concepts of Cross-Site Request Forgery
- Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.
- The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.
- The vulnerability lies in the affected web application, not the victim’s browser or the site hosting the CSRF.
Executing a CSRF Attack
In a Cross Site Request Forgery attack, the attacker is exploiting how the target web application manages authentication. For CSRF to be exploited the victim must be authenticated against (logged in) to the target site. For instance let’s say examplebank.com has online banking that is vulnerable to CSRF. If I visit a page containing a CSRF attack on examplebank.com but am not currently logged in, nothing happens. If I am logged in however, the requests in the attack will be executed as if they were actions that I had intended to do.
Let’s look at how the attack described above would work in a bit more detail. First let’s assume that I’m logged in to my account on examplebank.com which allows for standard online banking features, including transferring funds to another account.
Now let’s say I happen to visit somemalicioussite.com. It just so happens that this site is trying to attack people who bank with examplebank.com and have setup a CSRF attack on their site. The attack will transfer $1500.00 to their account, which is account number 123456789. Somewhere on somemalicioussite.com attackers have added this line of code: