Cross Site Request Forgery

  • What is cross site request forgery?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

CSRF attacks are also known by a number of other names, including XSRF, “Sea Surf”, Session Riding, Cross-Site Reference Forgery, and Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.

CSRF Defense strategies Let's take a look at how you can prevent them in your applications. Basically, you have two strategies:

  1. Making sure that the request you're receiving is valid, i.e., it comes from a form generated by the server.

  2. Making sure that the request comes from a legitimate client.

  • Validating Requests

Attackers can perform a CSRF attack if they know the parameters and values to send in a form or in a query string. To prevent those attacks, you need a way to distinguish data sent by the legitimate user from the one sent by the attacker. In other words, you need a way to validate requests and only accept the legitimate ones.

  • Validating Requests Origin

To make sure that an HTTP request is coming from a legitimate client, you should validate its origin. It means that the server should determine the source origin of the request and compare it with the target origin.You can do this by analyzing a few HTTP headers like Origin or Referer. You can rely on these headers because they cannot be altered programmatically, that is, only the browser can set them.