Cross-Site Request Forgery (CSRF)
Understand how Cross-Site Request Forgery (CSRF) exploits authenticated sessions to perform unauthorized actions on trusted sites. Explore real attack examples and common misconceptions about prevention. Learn defense strategies including CSRF tokens, verifying Origin headers, SameSite cookies, CORS policies, and two-factor authentication to protect your JavaScript applications from CSRF vulnerabilities.
We'll cover the following...
Broken Access Control
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious site sends a cross-origin request to a trusted site while the user is authenticated at the trusted site. A CSRF attack works when the browser request includes credentials associated with the trusted site, such as the user's session cookie. If the user is authenticated at the trusted site, the trusted site can’t distinguish between forged and legitimate requests sent by the victim. CSRF attacks fall under the Broken Access Control OWASP category, ranked number one on the OWASP Top Ten.
The GET example
Let's say Sally is a customer at https://bank.com. After they log in, a session cookie is set in their browser. The bank uses GET requests to initiate transfers of money between accounts. The authenticated request to transfer $1,000 from Sally to Fred might look something like GET http://bank.com/transfer?acct=fred&amount=1000. This request only works after Sally has logged in and their session cookie has been set.
A hacker then sends Sally an unsolicited email with this HTML content:
<a href="http://bank.com/transfer?acct=fred&amount=1000">Click here to claim your prize!</a>
If Sally clicks the link while still actively logged in to their bank, an authenticated request to bank.com will be made and their funds will be transferred.
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="0" height="0" ...