Thursday, December 31, 2015

What is a Cross Site Request Forgery Attack ?

A Cross Site Request Forgery Attack or CSRF Attack is an attack in which a user who is authenticated to a web application is tricked to perform an unwanted action like transferring funds to the attacker or change of password in his account.

How is CSRF Attack perpetrated

Most of the sites use cookies where it stores user credentials associated with the site, IP address etc. For every browser request, the information in the cookie is included with every submitted request. Normally, when a user authenticates himself in the web application, the cookie is set.

Suppose, a user has authenticated in a banking site and corresponding cookie is set in his machine. So, at this point, whatever request his browser will send to the banking site, the cookie will be used.

Now, an attacker XYZ wants to exploit the cookie and trick the user to transfer $10,000 to the attacker's account. And corresponding HTTP request for that operation is :

So, the attacker sends an email to the user ot tricks him to click a link in a webpage at this point. And the link contains :

<a href=””>Interesting Pictures! </a>

When the user will click the link while he is already authenicated to the banking site, the action will be performed and $10,000 will be transferred to the attacker XYZ.

Here, I just gave one simple example to understand the attack. In similar way, the user may be tricked to change his password, email address or to purchase something. And, applications using GET or POST method or using forms are equally vulnerable to this attack.

CSRF Attack can be stored in the vulnerable site also. And if that happens, the severity of the attack increases. In that scenario, the likelihood of the attack also increases, as the victim is more likely to visit the webpage than to visit some random website or click on some random link.

Countermeasures of CSRF Attack

The most common method of preventing CSRF Attack is to append some unpredictable challenge token to each request submitted by the user. Such tokens must be unique per session and also unique per request. As a result, even if the victim is tricked to click on some malicious link and submit a request, the attacker won't be able to predict the value of the challenge token. And so, the request will not get performed by the web application. Most web applications prevent CSRF Attack in this method.

Cautions to be taken by users

  • Log off immediately after using the web application.
  • Do not allow your browser to store username and password of sensitive web application like banking site.
  • Do not use the same browser to open sensitive web application and browse other websites freely.
  • You can also use plugins like No-Script. It makes POST based CSRF vulnerabilities much difficult to exploit.

So, follow some simple rules and beware of the possible vulnerabilities. And, stay safe, stay secured.

No comments:

Post a Comment