Cross-Site Request Forgery (CSRF)
1 Global Definition
Cross-Site Request Forgery (CSRF) is a web vulnerability where an attacker tricks a victim’s browser into sending unauthorized HTTP requests to a vulnerable web application in which the victim is already authenticated. This allows attackers to perform actions on behalf of the victim without their knowledge.
1.1 How CSRF Works
- The victim logs into a trusted website and obtains a valid session cookie.
- The victim unknowingly visits a malicious page controlled by the attacker.
- The malicious page automatically sends a forged HTTP request to the vulnerable application (e.g., transferring money, changing email).
- The trusted site processes the request because it comes with the victim’s valid cookie/session.
Example Attack:
<img src="https://bank.com/transfer?amount=1000&to=attacker" />
When loaded in the victim’s browser, this silently transfers money without the victim’s consent.
1.2 Real-World Impact
- Unauthorized fund transfers in banking applications.
- Changing the victim’s email address or password, leading to full account takeover.
- Posting unauthorized content on social networks.
- Large-scale incidents: Gmail (2007) and YouTube (2008) had CSRF flaws allowing account manipulation.
1.3 Defense Strategies
- Use CSRF tokens in all state-changing requests.
- Implement the SameSite cookie attribute to prevent cookies from being automatically included in cross-origin requests.
- Require re-authentication before sensitive transactions.
- Check the Referer header to validate the request source.
1.4 Why It Matters
CSRF attacks abuse the trust that a web application places in a user’s browser. They are dangerous because they can perform unauthorized actions without any user interaction or visibility. Many compliance standards like OWASP Top 10, PCI DSS, and GDPR highlight CSRF prevention as a critical security control.