Cross-Site Request Forgery



Description

A cross site request forgery (CSRF) attack occurs when an attacker tricks a victim into loading a page that contains a malicious request. This request might be able to change the state of the web application, and is possible because the request is sent in the context of the logged in victim. For many sites, each request automatically sends the victim's credentials, such as the session cookie or authentication credentials. Due to this fact, there is no way to distinguish the false request from a legitimate request. CSRF vulnerabilities affect web applications that allow authenticated users to perform operations that are not available to guest users.

Cross site request forgery attacks are known by other names including XSRF, session riding, one-click and zero-click attacks. A one-click attack refers to a link that causes a malicious action to be performed when a victim clicks on it. A zero-click attack is automatically executed upon page load. A common way to perform a zero-click attack is to embed the request in the source of an image.

Impact

CSRF allows the attacker to carry out actions on behalf of an authenticated user by tricking the user into visiting a malicious page or link. The exact impact depends on the functionality that is vulnerable to CSRF. The attacker will usually try to add a privileged user account for themselves or to inject arbitrary code into the application. If either of those scenarios succeeds, the attacker gains full control of the application.

Countermeasures

To prevent CSRF, include unique tokens in pages that invoke security sensitive operations, and require users to re-authenticate before performing sensitive operations.

Use unique tokens in sensitive requests:

Require the user to re-authenticate for sensitive operations:

Application Check

To check for adequate protection against CSRF, ensure that unique tokens are used in pages that carry out sensitive operations, and that users are required to re-authenticate before performing sensitive operations.

Unique tokens are used in sensitive requests:

Users are required to re-authenticate for sensitive operations:

Computer Based Training Links

Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.

OWASP Top Threats & Mitigations

This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.

DES 221 OWASP Top Threats & Mitigations

Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact support@securityinnovation.com for help.

!Have a comment about this article? Send our team an email.