Things to Know About Cross-Site Request Forgery
What, How and Prevention
What is CSRF ?
CSRF, or XSRF, is a cyber-attack where an already authenticated user is tricked into executing some unwanted commands on a web-based application. These commands are executed unbeknownst to the user and on behalf of the adversary. The extent of the damage, this attack can do, entirely depends upon the authenticated user’s access level to the said web application. CSRF is made to exploit the trust that exists between the web application server and the client’s web browser. How a CSRF attack is carried out is explained below.
How it Happens ?
Sessions and Cookie
When a client logs in to a particular web application, the inputted credentials are verified against the stored credentials in the server database. After the user is verified and starts using the functions provided in the website, the server needs a way to validate the user and his/her actions each time he/she sends a request, without always forcing the user to enter credentials with each action. This is where the idea of persistent data across multiple page loads came into the picture. This happens through the server storing necessary information in the client-side machine which are again sent to the server with each request. This is done using either sessions or cookies. Sessions or cookies can be used to keep a user, and the actions he/she performs, authenticated.
Cookies are small pieces of data that are stored only in the client’s machine at the web browser and they are sent from the websites the user is browsing through. Usually, when the user logs into a specific website, after it has authenticated the user, it generates an authentication cookies and sends it to the user’s web browser, which then stores the cookie. With each subsequent request, to the same server, the said cookie will be automatically sent by the client browser. The server then checks the authentication cookie to identify whether the user is logged in or not and if verified then is proceeded to authorize the request.
This is where the CSRF exploitation takes off. Though sessions are preferred due to various advantages over cookies, there are still many web application which relies on cookies to keep the user validated.
CSRF using Cookies
CSRF attacks happen through two major steps.
- First step is to use social engineering to trick the user into doing something (clicking a picture or a link, loading a page etc.). Because of this first step, CSRF attacks were also came to be known as ‘One-Click Attacks’, where, using social engineering, the user is click-baited.
- Second is the submission of a user-unknown forged request to the server, which is resulted by the previous action (clicking the picture etc.) done by the user. Because of this second step, CSRF attacks were also came to be known as ‘session riding’, where, the illegitimate request uses the already-authenticated session cookie to complete its task.
Explanation Using Example
Background: Assume that you have an online bank account in the website notsoamazingbank.com (which uses cookies for authentication purposes) and that this site has a form (moneyTansferForm) which can be used to make money transfers from your account to other accounts. Now, also assume that there exists a website badbroconartist.com owned by the attacker, who also somehow knows the details of this form, such as the forms submission method (get, post), submission url (the action of the form — where the form is submitted to) and the parameters of the form (accNo, amount). (This may be due to attacker having his/her own online account with the bank.)
Scenario: Lets say that you are logged on to the bank’s online account in one tab in the chrome web browser while in another tab you are browsing the site badbroconartist.com for apparels. While you are browsing the badbroconartist.com, you see a picture indicating that you can have up to 75% discount on all merchandise if you click on the picture. If a CSRF is in place, this means that there is a hidden form which is a replication of the original moneyTansferForm, which is set to be submitted when you click on the discount image (This form will be hard-coded with values to parameters, ex:- accNo=123456, amount=650,000).
Action: Now, since you have already logged on to the bank’s online account, this means that your chrome browser is equipped with the already-received authentication cookie from the notsoamazingbank.com server. Since the relevant cookies go along with each request to the relevant server, when the identical form is submitted to the server, though it is submitted unbeknownst to the user, the authentication cookie of the notsoamazingbank.com goes along with the request itself. Now when the server checks the authentication cookie’s availability in the server-side and find it, the requested function is executed and the transaction takes place. This happens using the authenticated user’s session, but on behalf of the adversary, unbeknownst to the user.
Prevention Mechanisms ?
Though there are many techniques and implementations to prevent CSRF attack, this series of articles focus on the two most common and popular security best practice and implementation patterns used by web application developers. These two patterns fall under the prevention mechanism of Anti-CSRF Tokens and the are as mentioned below.
- Synchronizer Token Pattern
- Double Submit Cookie Pattern
The basic implementations of these two patterns using java (jsp-servlet kind) will be discussed in subsequent articles.
Conclusion
Though cookies are fine-grained mechanisms to provide the users with a better experience, their basic implementation is not without flows. Due to the cookie’s quality of being submitted by the browser to the server automatically, it becomes an easy entrance for the adversaries to execute unwanted actions with the authorized user’s access level with the server. Though the data retrieval is not affected by CSRF attacks, it still ranked inside the OWASP Top 10-2017 — the latest list updated as of now.
Remarks of the Author
If you are a regular reader, please look forward to the article introducing the most common CSRF prevention mechanism — Synchronizer Token Pattern. (Editted: — It is available here)
If this article was helpful and informative and if you think this is worth reading by others like you, please help them find this by clicking the 👏 button below.
