Cross-site request forgery (CSRF) - ICSS

What is the consequence of a CSRF attack?

In a successful CSRF attack, the attacker causes the victim user to perform an accidental action. This could be to update their email address, reset their password, or make a money transfer, for example. The attacker may be able to obtain complete control of the user's account depending on the nature of the action. If the compromised user has a privileged role within the application, the attacker may be able to take complete control of all data and functionality.

How does CSRF function?

Three critical factors must be met in order for a Cross-site request forgery (CSRF) attack to be successful:

• A relevant action. The attacker has a reason to cause an activity within the programme. This could be a privileged action (such as changing other users' permissions) or any action on user-specific data (such as changing the user's own password).
• Cookie-based session handling. The activity entails making one or more HTTP requests, and the programme only uses session cookies to identify the user who made the requests. There is no other method for tracking sessions or validating user requests.
• No unpredictable request parameters. The requests that carry out the action do not include any parameters whose values the attacker cannot deduce or predict. For example, while causing a user to change their password, the function is not vulnerable if an attacker knows the current password's value.

Assume an application includes a feature that allows the user to modify their email address on their account. When a user does this action, they send an HTTP request that looks like this:

POST /email/change HTTP/1.1

Host: example-website.com

Content-Type: application/x-www-form-urlencoded

Content-Length: 30

Cookie: session=yvkowsztyeQkDZzeQ5gAdFreyxHfsAfE

email=Lennie@user.com

This satisfies the CSRF requirements::

• An attacker is interested in the action of changing the email address on a user's account. Following this operation, the attacker is usually able to force a password reset and gain complete control of the user's account.
• A session cookie is used by the programme to determine which user made the request. There are no other systems or tokens in place to track user sessions.
• The attacker can quickly identify the values of the request parameters required to carry out the action.

With these conditions met, the attacker can create a web page that contains the following HTML:

<html>

<body>

<form action="https://example-website.com/email/change" method="POST">

<input type="hidden" name="email" value="pwned@evil-user.net" />

</form>

<script>

document.forms[0].submit();

</script>

</body>

</html>

When a vulnerable user enters the attacker's website, the following occurs:

• The attacker's page will cause an HTTP request to be sent to the vulnerable website.
• If the user is logged in to the vulnerable website, their browser will include their session cookie in the request (assuming SameSite cookies are not utilised).
• The vulnerable website will process the request normally, assuming it was made by the victim user, and changing their email address

Note

Although CSRF is commonly associated with cookie-based session handling, it can also occur in other circumstances where the programme adds certain user credentials to requests, such as HTTP Basic authentication and certificate-based authentication. 

Defending against CSRF attacks

The most effective technique to prevent CSRF attacks is to include a CSRF token in relevant queries. The token should be as follows:

• Unpredictable with large entropy, which is the case with session tokens in general.
• Connected to the user's session.

Every case is rigorously evaluated before the required action is carried out.