Cross Site Request Forgery (CSRF)

What is CSRF?

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. 

The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context with a little help of social engineering (such as sending a link via email or chat)

CSFR Example

In effect, CSRF attacks are used by an attacker to make a target system perform a function via the target's browser without knowledge of the target user, at least until the unauthorized transaction has been committed. 

If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

 CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. 
Sites that are more likely to be attacked by CSRF are community websites (social networking, email) or sites that have high dollar value accounts associated with them (banks, stock brokerages, bill pay services).

CSRF attacks are also known as XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, and Hostile Linking.



Methods of CSRF Mitigation


A number of effective methods exist for both prevention and mitigation of CSRF attacks.

From a user’s perspective, prevention is a matter of safeguarding login credentials and denying unauthorized actors access to applications.

Best practices include:
  • Logging off web applications when not in use 
  • Securing usernames and passwords 
  • Not allowing browsers to remember passwords 
  • Avoiding simultaneously browsing while logged into an application 

For web applications, there are several methods that can be used to protect our own website by generating Cross-Site Request Forgery Tokens in server side and validating them before respond to any client request. They are;


Approaches that do require no server side state:


These are listed in order of strength of defense. So use the strongest defense that makes sense in your situation.

Comments

Post a Comment

Popular posts from this blog

Introduction to Encryption

Image
What is Encryption? Encryption is like sending secret messages between parties; if someone tries to pry without the proper keys, they won't be able to understand the message. In other words, it is the process of locking up information using cryptography (Cryptography is both the practice and the study of hiding information.) Definition:  ‘ The Process of converting plain text into cipher text, something that appears to be random and meaningless ’ is called as the encryption. Process of converting cipher text back into original text is called as decryption . Terminology Original message is called as plain text/clear text.   Encrypted message is called as cipher text/encrypted text.  A Key which is a secret like a password which is used to encrypt and decrypt information.  Ciphers are the specific algorithms which are used to encrypt and decrypt data. A cipher is series of well-defined steps that can be followed as a procedure to encrypt and decrypt m
Read more

Cross-Site Request Forgery protection in web applications via Double Submit Cookies Patterns

Image
Double submission of cookies is another well-known method to block CSRF. Similar to using unique tokens, random tokens are assigned to both a cookie and a request parameter. In double-submitted cookie pattern, two cookies (for the session and for the CSRF token) are stored in the browser. This pattern is also called as Stateless CSRF Defense since the server site does not have to save this value in any way, thus avoiding server side state. In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it. When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin
Read more

How to do a Phishing attack on Facebook?

Image
This is a Step by step tutorial to make an undetectable Facebook phishing site. Step 1: Download page source Go to https://www.facebook.com Right click on the blank area -> Click Save As When dialog box appears select ‘Webpage, complete’ as Save as type -> Click Save Step 2: Edit “Facebook - Log In or Sign Up.html” file and rename it. Open ‘Facebook - Log In or Sign Up.html’ file with notepad or Dreamweaver. Remove all the ajax codes. (You can download HTML file which removed all ajax codes form here https://github.com/nimeshikaranasinghe/Facebook-Phisihing.git   ) Search for login action (Press Ctrl + F -> type ‘ action= ’ -> Click Find Next) Replace the highlighted part (as in the following screenshot) with getDetails.php Save the file as index.html Step 3: Create getDetails.php Open a notepad. Type the following code <?php             $username = $_POS
Read more