Skip to main content

CSRF

Cross-Site Request Forgery

Related error

"This server is vulnerable to a cross-site request forgery attack. Append each request with CSRF token or SameSite cookie attribute."

Problem

A cross-site request forgery (CSRF) is an attack that prompts the user to unintentionally send a request to a web application against which it is authenticated. CSRF attacks exploit the trust a web application has in an authenticated user.

CSRF attacks are often targeted, using social engineering, such as:

  • Phishing email

  • Chat link

  • Fake alert

When a user signs in to a web application, the attacker prompts them to click a URL containing an unauthorized request for a specific web application. The user’s browser then sends this maliciously crafted request to a targeted web application, including session information such as session cookies or stored credentials. If the user is in active session with a targeted web application, the application will process this new request as an authorized user-initiated request. Consequently, allow the attacker to exploit the CSRF vulnerability of the web application.

The level of the attack depends on the level of privileges the victim has. A CSRF attack does not directly steal the user’s identity, Instead, it exploits the user to carry out actions without their will.

A successful CSRF attack force user to perform the state-changing request, such as:

  • Password change

  • Email address change

  • Modify or delete records

  • Fund transfer

  • Purchases

Solution

To prevent a CSRF attack:

  • Use CSRF tokens to all state-changing requests

    A CSRF token, also known as synchronizer token or challenge token, is a unique and secret value generated at the client side for each user session, making it impossible to hack and trick the user.

  • Use SameSite cookie attribute for session cookies

    Set SameSite attribute on cookies as an extra layer of protection along with CSRF token. The SameSite attribute allows cookies to be sent only if the cookie and the request originate from the same domain (and not from cross-domain).

Note

Older browsers may fail to support the SameSite cookie.