Cross Site Request Forgery (CSRF)

A Cross Site Request Forgery or CSRF (pronounced see surf) is an attack on an authenticated user where the user’s existing session on a website is tricked into performing an action (e.g. a purchase, a transfer, or profile update).

Note

CSRF is also sometimes called XSRF

Some HTML elements cause the browser to send requests to other domains. For example, a <form> element that submits data to a different domain. When submited this form will send its data over to the other page along with the user’s cookie. When the server receives the request, it has no way of reliably telling whether the request was initiated by the user on a legitimate site or a malicious site. Despite this, if the site is programmed incorrectly, it will process the request causing a CSRF vulnerability.

The entire premise of CSRF is based on session riding, where the malicious site is able to:

  1. Have the browser send cross domain requests with cookies

  2. Trick the server into accepting it as legitimate data

Exploiting CSRF

GET requests are often used by websites to get user input. Say a user signs in to an banking site which assigns their browser a cookie which keeps them logged in. If they transfer some money, the URL that is sent to the server might have the pattern:

http://bank.com/transfer.do?acct=[RECIPIENT]&amount=[DOLLARS]

Knowing this format, an attacker can send an email with a hyperlink to be clicked on or they can include an image tag of 0 by 0 pixels which will automatically be requested by the browser such as:

<img src="http://bank.com/transfer.do?acct=[RECIPIENT]&amount=[DOLLARS]" width="0" height="0" border="0">

This same technique can be used against POST requests through the <form> element:

<form method="POST" action="http://bank.com/transfer.do">
    <input type="hidden" name="acct" value="RECIPIENT">
    <input type="hidden" name="amount" value="DOLLARS">
</form>
<script>document.forms[0].submit()</script>

Notice that there is a small JavaScript snippet to automatically submit the form element.