Topic 5: Cross-Site Request Forgery

Understanding CSRF (Cross-Site Request Forgery)

CSRF, or Cross-Site Request Forgery, is a type of security exploit where an attacker tricks a user into unintentionally executing actions on a web application. It occurs in a malicious website, email, blog, instant message, or program that causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated.  This is done through the user's active session on another website, often without their knowledge. CSRF attacks can lead to unauthorized actions, such as changing a user's email address, transferring funds, or modifying account settings.

A CSRF attack works because the browser requests automatically include all cookies, including session cookies. Therefore, if the user is authenticated to the site, the site cannot distinguish between legitimate authorized requests and forged authenticated requests. 

This attack is thwarted when proper Authorization is used, which implies that a challenge-response mechanism is required to verify the requester's identity and authority.  The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application and the user's privileges. For example, this attack could result in transferring funds, changing passwords, or purchasing with the user's credentials. An attacker uses CSRF attacks to make a target system perform a function via the victim's browser without the victim's knowledge until the unauthorized transaction has been committed.

Attack Scenario

• Attacker Prepares the Attack: The attacker creates a malicious webpage containing HTML and JavaScript code that automatically submits a transfer request when visited by a victim who is logged in to the online banking application. The attacker disguises this webpage as a legitimate-looking link, image, or advertisement, enticing the victim to click.

• Victim Clicks the Malicious Link: The victim, authenticated to the online banking application, unknowingly clicks on the malicious link while browsing the internet. This triggers the execution of the attacker's malicious code embedded in the webpage.

• Malicious Transfer Request Sent: The attacker's malicious code automatically constructs and submits a transfer request to the online banking application's transfer endpoint using the victim's session cookies stored in the browser. The request includes parameters such as the recipient's account number and the amount to transfer.

• Transfer Executed with Victim's Credentials: The online banking application, trusting the victim's authenticated session, processes the transfer request as if the victim initiated it. Since the victim's credentials authorize the transfer, the transaction goes through without additional authentication or confirmation.

• Unauthorized Transfer Completed: The attacker successfully executes an unauthorized transfer of funds from the victim's account to their account or another account controlled by the attacker. The victim is unaware of the transaction until they notice the changes in their account balance or receive notifications from the bank.

Two things should happen to execute a CSRF attack:

• The attacker tricks an authenticated or logged-in user into clicking a link or loading a page, like through social engineering — a phishing attack. Once the user clicks the link, the script injected by the attacker runs.

• The attacker sends a legitimate-looking HTTP request from the user's browser. The website processes the request without distinguishing whether the actual user or the CSRF attacker sends it.

As session cookies are automatically sent per request, attackers are keen on using them to make their attacks and execute malicious actions with the user's privileges.