Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) is an attack which forces the users to perform unwanted / confidential actions on an authenticated web platform. CSRF attacks specifically target state-changing requests, and not theft of private data, cause the attacker has no way to see the response to the forged request made from. Attackers use and trick the users of web applications into make state changing requests like transferring funds, changing confidential details and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
For example:
Assume that you are a registered user of a private banking web application, where you can perform transactions between accounts. Also there is an attacker, who tries to steal some of your money from your account by forcing you to do some actions on another site. You log in to the private banking site and a session will be registered for you and will be created.
You receive an anonymous mail or an advertisement link from another social media, and it forces you to click on a button. The button is a styled submit button of a form which made to perform state-changing requests. And it has all related data to transfer your money to the attacker’s account.
You click on it, and your authenticated session will be used to make that state-changing request and there are no validations at the Server side to authenticate and authorize the request, so the request you made was successful and all your money will be transferred to the attacker’s account.
Defend CSRF
There are several methods to defend CSRF attacks. We’ll be covering two recommended patterns and implementing those in web applications to prevent CSRF attacks.
- Synchronizer Token Pattern
- Double Submit Cookies Pattern
Synchronizer Token Pattern
A sample PHP implementation to demo CSRF Synchronizer Token Pattern is available in GitHub as well as deployed to Heroku.
Design
To prevent CSRF attacks from state-changing requests (POST), Synchronizer Token Pattern proposes a method to include a generated CSRF token in a hidden input field with the respective submit form to prevent the attacks. The token is generated from Server side and stored and validated again in Server. When a page loads, the client-side will make an ajax call to the server containing its authenticated session to retrieve the generated CSRF token in order to append with the hidden input field.
Double Submit Cookies Pattern
A sample PHP implementation to demo CSRF Double Submit Cookies Pattern is available in GitHub as well as deployed to Heroku.
Design
Double Submit Cookies Pattern proposes a method to include a generated CSRF token in a hidden input field along by sending a generated cookie containing the generated CSRF token with the respective submit form to prevent the attacks. The token is generated by the Server but not stored as Synchronizer Token Pattern. Therefor, it uses the CSRF token appended with the submit form and the cookie (containing the CSRF token) to validate the request. When submitting the form, the cookie (containing the CSRF token) is accessed and the token is extracted and appended to the form.
You can find both deployed samples and source codes in above mentioned links.
Happy attacking !
