Views

Cross-Site Request Forgery (CSRF)

1 Global Definition

Cross-Site Request Forgery (CSRF) is a web vulnerability where an attacker tricks a victim’s browser into sending unauthorized HTTP requests to a vulnerable web application in which the victim is already authenticated. This allows attackers to perform actions on behalf of the victim without their knowledge.

1.1 How CSRF Works

  1. The victim logs into a trusted website and obtains a valid session cookie.
  2. The victim unknowingly visits a malicious page controlled by the attacker.
  3. The malicious page automatically sends a forged HTTP request to the vulnerable application (e.g., transferring money, changing email).
  4. The trusted site processes the request because it comes with the victim’s valid cookie/session.

Example Attack:

<img src="https://bank.com/transfer?amount=1000&to=attacker" />

When loaded in the victim’s browser, this silently transfers money without the victim’s consent.

1.2 Real-World Impact

  • Unauthorized fund transfers in banking applications.
  • Changing the victim’s email address or password, leading to full account takeover.
  • Posting unauthorized content on social networks.
  • Large-scale incidents: Gmail (2007) and YouTube (2008) had CSRF flaws allowing account manipulation.

1.3 Defense Strategies

  • Use CSRF tokens in all state-changing requests.
  • Implement the SameSite cookie attribute to prevent cookies from being automatically included in cross-origin requests.
  • Require re-authentication before sensitive transactions.
  • Check the Referer header to validate the request source.

1.4 Why It Matters

CSRF attacks abuse the trust that a web application places in a user’s browser. They are dangerous because they can perform unauthorized actions without any user interaction or visibility. Many compliance standards like OWASP Top 10, PCI DSS, and GDPR highlight CSRF prevention as a critical security control.

Share and Join the Discussion

You need to be logged in to participate in this discussion.

×
×