What Is CSRF Attack And How To Prevent It?

what is csrf attack and how to prevent it.

To stop the loss of cash and credentials in a CSRF attack, both developers and users have an important role they have to play. This time we will discuss what is a CSRF attack and how to prevent it?

Cross-Site Request Forgery (CSRF) is one of the oldest ways to exploit website vulnerabilities. It targets server-side web which usually requires authentication such as logging. During a CSRF attack, the attacker aims to force his victims to make unauthorized malicious web requests on their behalf.

Weak or poor website security practices and carelessness in user paths are some of the common causes of successful CSRF attacks. Let's see what CSRF attacks are and how to prevent them as a developer or as a user.


What is CSRF?

Cross-Site Request Forgery (CSRF) is also known as “Session Riding” or “One-Click Attack”. This attack is a type of malicious Exploit attack against web application users. This attack has been listed as the 7th most exploitable among the top 10 Web Attacks.

CSRF is an attack that allows an attacker to make any unauthorized HTTP POST/GET requests on behalf of the victim currently authenticated to a website. There are many types of web attacks carried out using this CSRF technique, ranging from the less dangerous to the more dangerous.


How Does a CSRF Attack Affect Victims?

CSRF is an attack used to implement unauthorized requests during web actions that require user login or authentication. CSRF attacks can take advantage of session IDs, cookies and other server-based vulnerabilities to steal user credentials.

For example, enabling anti-CSRF procedures prevents cross-domain malicious interactions. Once that barrier is broken, an attacker can quickly exploit the user's session ID via cookies created by the user's browser and embed script tags into vulnerable websites.

By manipulating IDs, attackers can also redirect visitors to other web pages or exploit social engineering methods such as email to send links, prompting victims to download malicious software.

After the victim performs such an action, the perpetrator sends an HTTP request to the user's service page and authorizes the request action to support the attacker. That can be very damaging to unsuspecting users.

A successful CSRF attack can result in a user losing their access credentials to the attacker, especially during server-based actions such as password or username change requests. In a worse scenario, the attacker takes over the entire session and acts on behalf of the user.

CSRF has been used to hijack funds transactions over the web as well as change usernames and passwords, causing users to lose access to affected services.


How Attackers Hijack User Sessions With CSRF

The primary targets of CSRF attacks are web actions that involve user authentication. To be successful, it requires the unintentional action of the victim.

During CSRF attacks, GET, DELETE, and PUT actions, as well as vulnerable POST requests, are the main targets of attackers. Let's look at the meaning of those terms:

  • GET: Request to collect results from the database; for example, Google search.
  • POST: Usually for submitting a request via a web form. POST requests commonly occur during user registration or login, otherwise known as authentication.
  • DELETE: To delete a resource from the database. You do this every time you delete your account from certain web services.
  • PUT: PUT requests to modify or update existing resources. An example is changing your Facebook name.

In practice, attackers use session hijacking to support CSRF attacks. When using this combination, attackers can use hijacking to change the victim's IP address.

The IP address change then redirects the victim to a new website where the attacker has entered a spoofed link that submits an exact created form or a modified server request they made via CSRF.

The unsuspecting user then thinks the redirect is from the service provider and clicks on a link on the attacker's web page. Once they do this, the perpetrator submits the form on page load without their knowledge.


CSRF GET Request Example Attack

Imagine trying to make an online payment through an unsecured eCommerce platform. The platform owner uses GET requests to process your transactions. That GET query might look like this:

https://www.websiteurl/pay?amount=$10&company=[company%20ABC%27s%20account]

A hijacker can steal your transactions easily by changing the parameters of the GET request. To do this, all they need to do is swap your name for theirs, and even worse, change the amount you want to pay. They then change the original query to like this:

https://www.websiteurl/pay?amount=$20000&company=[attacker%27s%20account]

After you click the link to the modified GET request, you end up making an accidental transfer to the attacker's account.

Transacting via GET requests is bad practice, and makes the activity vulnerable to attack.


POST Request CSRF Attack Example

Many developers believe that using POST requests is safer to perform web transactions. While that's true, unfortunately, POST requests are also vulnerable to CSRF attacks.

To successfully hijack a POST request, all an attacker needs is your current session ID, some form of invisible duplication, and sometimes, a little psychological manipulation.

For example, a POST request form might look like this:

<form action="ABC's account" method="POST"><input type="text" name="name" placeholder="name"><br><input type="number" name="number">< br><input type="submit" name="submit"></form>

However, an attacker can swap your credentials by creating a new page and changing the form above to this:

<body onload="document.getElementById('payment-form').submit();"> <form action="Attacker's account" id="payment-form" method="POST"><input type="text" hidden name="name" placeholder="name"><br><input type="number" hidden value=30000 name="number"><br><input type="submit" hidden name="submit">< /form> </body>

In the manipulated form, the attacker sets the value of the amount field to “30000”, swaps the recipient's account number to their number, submits the form on page load, and also hides the form field from the user.

After they hijack the current session, your transaction page initiates a redirect to the attacker's page, which asks you to click on a link they know you are most likely to visit.

Clicking this loads a replicated form submission, which transfers your funds to the attacker's account. That means you don't need to click a button like “submit†for the transaction to take place because JavaScript automatically does this when the next web page loads.

Alternatively, an attacker could also create an HTML embedded email draft asking you to click on a link to perform the same page load form submission.

Another action vulnerable to a CSRF attack is a username or password change, for example a PUT request. The attacker replicates your request form and replaces your email address with theirs.

Then they steal your session and redirect you to a page or send you an email asking you to click on an interesting link.

It then sends out a manipulated form that sends a password reset link to the perpetrator's email address, not yours. That way, the perpetrator changes your password and logs you out of your own account.


How to Prevent CSRF Attacks As A Developer

One of the best methods to prevent CSRF is to use a token that changes frequently instead of relying on session cookies to execute state changes on the server.

Many modern backend frameworks offer security against CSRF. So if you want to avoid the technicalities of upgrading to CSRF yourself, you can easily get around it using server-side frameworks that come with built-in anti-CSRF tokens.

When you use an anti-CSRF token, server-based requests generate random strings instead of the more vulnerable session cookies. That way, you can protect your session from being guessed by hijackers.

Implementing a two-factor authentication (2FA) system to execute transactions in your web application also reduces the chances of CSRF. CSRF can also be initiated through cross-site scripting (XSS), which involves injection scripts into user fields such as comment forms. To prevent this, it's a good practice to enable HTML auto-escape in all user form fields throughout your website. It prevents form fields from interpreting HTML elements.


How to Prevent CSRF Attacks As A User

As a user of web services that involve authentication, you have a role to play in preventing attackers from stealing your credentials and sessions via CSRF as well. Make sure you use a trusted web service during activities that involve transferring funds. Additionally, use a secure web browser that protects users from session exposure, as well as secure search engines that protect against browsing data leaks.

As a user, you can also rely on third-party authenticators like Google Authenticator or alternatively to verify your identity via the web. While you may not be able to stop attackers from hijacking your sessions, you can still help prevent them by making sure that your browser doesn't store information like passwords and other login details.


Summary

So what is CSRF? CSRF is a type of attack that is carried out by executing commands on the system without having the authority to do so. CSRF is carried out by exploiting security gaps in the system.

Developers need to test web applications regularly for security breaches during development and deployment. However, it is common to introduce other vulnerabilities while trying to prevent other vulnerabilities. So be careful to make sure that you don't violate any other security parameters when trying to block CSRF.

Hopefully, this article about What Is CSRF Attack And How To Prevent It?, gives you a little insight. Also, read an article about What Is Denuvo Protection And Why Gamers Hate It that you may need to know. Thank you.

Previous Post Next Post