-->

Cross-Site Request Forgery (CSRF) in simple words

By: Priya Philip 5 months ago

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Assume that you logqed into your online bank site (www.xxbank.com) and a transfer of an amount will result in a request of (conceptually) the form http://www.xxbank.com/trans?to=<xxAccountnumber>;amt=<Amount>. (No need of your Account number, because it is implied by your login.)

You visit a malicious website (www.malicious-website.org) and It's easy to know the form of above request and and the malicious site owner correctly guesses that you logged into your banksite.(it requires some luck!), they could include on their page a request likehttp://www.xxbank.com/trans?to=987654321;amt=20000 (where 987654321 is the Account Number and 20000 is the amount that you previously thought you were glad to possess).

When you retrieved that www.malicious-website.org page, your browser will make that request. Your bank can't recognize the origin of the request: Your web browser will send the request along with your www.xxbank.com cookie and it will look perfectly legitimate. There goes your money!

This is the world without CSRF tokens.


Transfers with CSRF tokens:

In this the transfer request is appended with a 3rd argument 'token' like http://www.xxbank.com/trans?to=987654321;amt=20000;token=83242653583193598462649719717953302884231. The bank site will include the token (a big random number that is impossible to guess) on their webpage when they serve us. The token is different for every page. When we make request, the server simply compares the value of the token with CSRF token remembered by the server. if both are equal, the server continues to process the request. Otherwise server stops processing the request and responds with error.

Comments

Let us talk!

We take the vision which comes from dreams and apply the magic of science and mathematics, adding the heritage of our profession and our knowledge to create a design.