What is CSRF? Protect Your Web Applications from Unwanted Actions

TL;DR - Key Takeaways

• Cross-Site Request Forgery (CSRF) is a web security vulnerability that tricks a user into performing actions they did not intend to on a web application where they are authenticated.
• CSRF exploits the trust a web application has in the user's browser by making unauthorized requests that appear to come from the authenticated user.
• This vulnerability can lead to unauthorized transactions, data changes, or even account takeovers.
• Commonly affected applications include those with insufficient CSRF protection mechanisms, especially ones handling sensitive operations.
• Prevention techniques include CSRF tokens, SameSite cookies, and verifying request origins.
• Understanding CSRF is critical for developers and security professionals to ensure web applications are secure from these types of attacks.

What is Cross-Site Request Forgery (CSRF)?

Cross-Site Request Forgery (CSRF) is akin to a trusted friend asking you to sign a blank check. Imagine you're at home, and you receive a call from someone posing as your bank representative. They ask for a few details to "confirm" your identity. Unbeknownst to you, they use this information to transfer money from your account. Similarly, CSRF tricks a user's browser into executing unwanted actions on a web application where the user is authenticated, without their consent or knowledge.

In CSRF attacks, the adversary uses social engineering tactics, like sending a malicious link or embedding a request in an email or website, to manipulate the victim's browser into making unauthorized transactions. The key factor here is that the request is sent from the user's browser, leveraging the existing session and authentication context.

Why Does This Matter?

CSRF attacks can have severe real-world implications. According to OWASP, CSRF is ranked among the top security risks due to its widespread nature and potential impact. Consider a scenario where a victim unknowingly performs financial transactions, changes account settings, or even deletes critical data on an application they trust. These actions can lead to financial loss, data breaches, or loss of service.

For instance, a CSRF vulnerability discovered in GitHub in 2014 could have allowed attackers to add new SSH keys to a user's account, ultimately leading to the control of their repositories. Such breaches underscore the importance of understanding and mitigating CSRF vulnerabilities.

Statistics and Impact

• According to the 2021 Verizon Data Breach Investigations Report, CSRF attacks are less common than other vulnerabilities but can be significantly damaging when exploited.
• Applications handling financial transactions, user settings changes, or administrative functions are prime targets.
• Companies of all sizes can be affected, from small startups to large enterprises.

Types / Categories

While CSRF itself is generally categorized as a single type, the attacks can differ based on how they're executed and the contexts they exploit. Here are some variations:

• GET-based CSRF: Involves exploiting HTTP GET requests where actions can be triggered without any form submission.
• POST-based CSRF: Targets HTTP POST requests, often used for forms and submission actions that modify data.
• Link-based CSRF: Utilizes malicious links that, when clicked, trigger a CSRF attack.
• Image-based CSRF: Embeds a malicious request within an image tag to perform the attack without direct user interaction.

How It Works — Step by Step

To understand how a CSRF attack works, let's walk through a typical attack flow with a diagram.

sequenceDiagram
    participant User
    participant Browser
    participant Attacker
    participant WebApp

    User->>Browser: Logs in to WebApp
    Browser->>WebApp: Sends authentication cookies
    WebApp-->>Browser: Authenticated session established

    Attacker->>User: Sends malicious email/link
    User->>Browser: Clicks link/open email
    Browser->>WebApp: Sends request with authentication cookies (CSRF)
    WebApp-->>Browser: Processes the request as legitimate

Explanation: The user logs into their web application, which sets an authentication cookie. An attacker sends a crafted link or request to the user. When the user clicks the link, their browser sends a request to the web application with the existing authentication cookies, making it appear legitimate. The application, trusting the authenticated session, processes the request without verifying its legitimacy.

Simple Proof-of-Concept Code

Let's look at a simple CSRF attack using an HTML form:

<!-- CSRF Attack Form -->
<form action="https://example.com/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="submit" value="Transfer Money">
</form>

Explanation: This form, when loaded in a user's browser, will submit a POST request to https://example.com/transfer with a hidden field amount set to 1000. If the user is logged into the target application, this request could transfer money without their consent.

Hands-On Lab / Demo

Setting Up DVWA

The Damn Vulnerable Web Application (DVWA) is an excellent tool to practice and understand CSRF attacks safely.

1. Install DVWA: Follow instructions from the official DVWA GitHub repository to set up the application locally using XAMPP or Docker.

2. Access CSRF Module: Once DVWA is running, navigate to the CSRF section.

3. Perform a CSRF Attack:

   • Use the provided form to change a user's password via CSRF.
   • Observe how the application processes the request without verifying its origin.

4. Implement Basic Protection:

   • Modify the application code to include CSRF tokens and observe how it mitigates the attack.

Tool Commands

Use Burp Suite to intercept and modify requests:

# Start Burp Suite and configure browser to use Burp's proxy

Explanation: Burp Suite will intercept HTTP requests between the browser and the web application, allowing you to inspect and modify them as needed.

Common Misconceptions

CSRF Only Affects POST Requests

Many believe CSRF only affects POST requests, but GET requests can also be exploited if the server executes sensitive actions via GET.

CSRF Requires User Interaction

While many CSRF attacks involve user interaction (e.g., clicking a link), some can be executed passively, such as when a malicious image is loaded.

All CSRF Attacks Are Visible

CSRF attacks can be silent, with victims unaware that actions have been performed on their behalf, especially if there is no obvious feedback.

How to Defend Against It

1. Use CSRF Tokens:

   • Generate a unique token for each user session.
   • Include the token in forms and validate it on the server-side.

   # Flask example for generating a CSRF token
   from flask import session, request, abort
   
   def generate_csrf_token():
       if '_csrf_token' not in session:
           session['_csrf_token'] = some_random_string_function()
       return session['_csrf_token']
   
   def validate_csrf_token():
       token = request.form.get('_csrf_token')
       if not token or token != session.get('_csrf_token'):
           abort(403)
   

   Explanation: This Flask code snippet generates and validates a CSRF token for form submissions.

2. SameSite Cookies:

   • Set the SameSite attribute for cookies to prevent them from being sent with cross-site requests.
   • Example setting: Set-Cookie: sessionid=value; SameSite=Strict

3. Verify Request Origin:

   • Check the Referer or Origin headers for incoming requests to ensure they match the expected domain.

4. Use Custom HTTP Headers:

   • Require a custom header (e.g., X-CSRF-Token) with all state-changing requests.

   // Example AJAX request with custom header
   fetch('/api/change', {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',
       'X-CSRF-Token': csrfToken
     },
     body: JSON.stringify({ key: 'value' })
   });
   

   Explanation: This fetch request includes a custom CSRF token header, enhancing security.

5. Limit Session Duration:

   • Reduce the window of opportunity for CSRF by limiting session timeouts.

Further Learning Resources

• OWASP CSRF Prevention Cheat Sheet
• PortSwigger Web Security Academy
• Cross-Site Request Forgery (CSRF) - MDN Web Docs
• Hack The Box Challenges - Practice CSRF and other web vulnerabilities.

Conclusion

Cross-Site Request Forgery is a critical web security issue that exploits the trust between a user's browser and a web application. Understanding how CSRF works and implementing robust prevention strategies is crucial for developers and security professionals alike. By integrating techniques like CSRF tokens, SameSite cookies, and request origin verification, you can significantly reduce the risk of CSRF attacks on your applications.

Always stay informed about new developments in web security and continually test your applications for vulnerabilities. Equip yourself with knowledge and tools to protect against CSRF, ensuring the safety and integrity of your web applications. Keep exploring and learning through practical exercises and community resources.