Guide To CSRF (Cross-Site Request Forgery) - Veracode
Guide To CSRF (Cross-Site Request Forgery) - Veracode
Application Security
Basics APPLICATION SECURITY
AppSec Policies
Knowledge Base
Search Our Knowledge Base
Advanced Application Search our knowledge base...
Security
AppSec Knowledgebase Categories >
Development
Remediation Guidance
Cross-Site Request Forgery Guide:
Learn All About CSRF Attacks and
Miscellaneous CSRF Protection
What is Cross-Site Request Forgery (CSRF)?
Cross-site request forgery, also called CSRF, is a type of web security
vulnerability identified as one of the OWASP Top 10 Web Application Security
Risks. A CSRF attack can be used to send unwanted requests to a web
application or site from an authenticated user. This allows an attacker to craft
malicious content to trick users who are already logged in and authenticated on
a legitimate website to perform actions that they do not intend to and may
remain unaware of.
CSRF attacks are often targeted, relying on social engineering like a phishing
email, a chat link, or a fake alert to cause users to load the illegitimate
request, which is then passed on to the site where they are authenticated.
https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection 1/7
5/1/24, 11:32 Guide to CSRF (Cross-Site Request Forgery) | Veracode
CSRF attacks generally focus on state changes, such as changing the email
address associated with an account, making a purchase, or transferring
funds from online banking.
For administrator-level users targeted with CSRF, this type of flaw can open
vulnerabilities to a web application or site overall by adding new
administrator accounts or changing administrator login information.
Read Infosheet
When a user is logged into a website, the browser sends some form of
authentication data as session information with each request to that website,
such as a session cookie, client certificate, or other stored credential. A CSRF
flaw means that site does not distinguish between intentional actions taken by
the user and forged requests generated by a malicious link or script request.
While CSRF may be less common than, for example, the use of hard-coded
passwords to operate certain types of devices, it is a form of insufficiently
https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection 2/7
5/1/24, 11:32 Guide to CSRF (Cross-Site Request Forgery) | Veracode
This flaw is especially concerning to businesses and others with some type of
administrator-level access to web applications. For example, people with access
to the back end of a company's website may inadvertently send requests from
an attacker. CSRF vulnerabilities can allow an attacker to gain administrator-
level access or take over the site when a plug-in or module code that contains
these flaws is active on the site.
When CSRF requests are sent by someone who is not logged in, nothing
happens; the request is simply discarded by the target site. When CSRF flaws are
found in a site or application, these same requests from a logged-in user's
browser can execute an array of state change requests.
Protecting a web application against CSRF flaws allows the application or target
site to differentiate such unwanted requests from legitimate requests, and this
protection can be achieved without detriment to the user experience.
https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection 3/7
5/1/24, 11:32 Guide to CSRF (Cross-Site Request Forgery) | Veracode
must be authenticated against (logged into) the target site. For instance, let’s
say examplebank.com has online banking that is vulnerable to CSRF. If I visit a
page containing a CSRF attack on examplebank.com but am not currently logged
in, nothing happens. If I am logged in, however, the requests in the attack will
be executed as if they were actions that I had intended to take.
Let’s look at how the attack described above would work in a bit more detail.
First, let’s assume that I’m logged into my account on examplebank.com, which
allows for standard online banking features, including transferring funds to
another account.
<iframe src="http://examplebank.com/app/transferFunds?a
As I clicked through the configuration guide, I missed the 1x1 pixel image that
failed to load:
<img src="http://192.168.1.1/admin/config/outsideInterface?
nexthop=123.45.67.89" alt="pwned" height="1" width="1"/>
The attackers knew that when I was reading their tutorial, I would be logged into
the router interface. So they had the CSRF attack set up in the tutorial. With that
request, my router would be reconfigured so that my traffic will be routed to
their proxy server where they can do all manner of bad things with it.
https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection 4/7
5/1/24, 11:32 Guide to CSRF (Cross-Site Request Forgery) | Veracode
Each time the server renders a page that includes sensitive actions, a unique
CSRF token is passed to the user. For this system to work properly, the server
must then only take the requested sensitive action when the token is fully
validated, rejecting all requests with either invalid or missing tokens. One
common error when implementing CSRF flaw checks is to reject requests that
have invalid tokens but allow requests with missing tokens to proceed,
rendering the token process ineffective.
CSRF tokens can also be combined with other types of protective coding,
including ensuring that session cookies are set with the SameSite cookie
attribute. This attribute allows developers to instruct browsers to manage
whether cookies are sent along with requests from third-party domains. Online
banking sites, for example, may want to use the strictest level of cookie
protection. You can also add the HttpOnly attribute to protect against some
forms of cross-site scripting flaws; doing so also makes CSRF attacks more
difficult to execute, as cross-site scripting vulnerabilities enable some types of
CSRF attacks.
Veracode static analysis can find CSRF flaws and other credential management
vulnerabilities in web applications, including third-party components and plug-
ins, pointing developers to how and where repairs can be made, even without
examining the source code.
https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection 6/7
5/1/24, 11:32 Guide to CSRF (Cross-Site Request Forgery) | Veracode
See a Demo
Sales : +1.888.937.0329
Support : +1.877.837.2203
EMEA : +44-(0)-20-3761-5501
Products
Solutions
Resources
Company
https://www.veracode.com/security/cross-site-request-forgery-guide-learn-all-about-csrf-attacks-and-csrf-protection 7/7