Protection Against Cross-Site Request Forgery Attacks
Learn about cross-site request forgery attacks and how to prevent them.
Introduction
The cross-site request forgery (CSRF) attack can be defined as an attempt to generate a malicious request on behalf of an authenticated user’s session.
Ways to introduce a CSRF attack
Social engineering: The attack can bluff the targeted victim into prompting action to a malicious link. Upon opening the link, a CSR-based attack can be sent to the website. This link can be sent to the users via email or other social media platforms.
Malvertising: Nowadays, marketing trends are becoming increasingly digitalized. Many internet-based publishers utilize websites to display their ads. The attacker can place malicious ads on websites that are visited by the victim. These ads can contain malicious code that executes when clicked.
Session hijacking: The attacker tries to exploit the vulnerable authentication mechanism of the website. Session hijacking is also known as cookie hijacking, in which attackers gain access to the session’s cookie—a specific cookie value that’s used to distinguish a user’s session.
Potential effects of CSRF attack
Account takeover: A CSRF attack can easily hack into someone’s account. The attacker can then make changes to it, like changing the password, taking their money, or making purchases.
Data extraction: A hacker can pull out sensitive information from a victim’s account. With a few key clicks, they can access the victim’s credit card numbers, social security numbers, and passwords.
Doxing: Using a CSRF attack to dox somebody lets the attacker see all of their info: addresses, phone numbers, and even social media profiles.
Website tampering: Defacement is another outcome of CSRF attacks. For anybody who looks at it, it seems as if the website has been vandalized. The attacker can inject bad code into the pages, altering their appearance to visitors.
DoS attacks: The last thing an attacker can do with CSRF attacks is launch a DoS attack. By doing so, they can make so many requests that the site will be unavailable to other users.
Protecting Laravel apps from CSRF attack
For every active user’s session, the Laravel app creates a unique hash code named csrf-token
. When a session is recreated, a unique code is generated that aids the application in determining if a request is legitimate or not. For the verification procedure to work, this code is essential.
Laravel, by default, applies custom middleware to every request that uses the following methods:
PUT
PATCH
DELETE
POST
Without the presence of csrf-token
, Laravel disrupts the request, thereby not allowing attackers to exploit the system.
Utilizing the CSRF token in Laravel
While defining a form, developers can define csrf
by using the following snippet of code:
Get hands-on with 1400+ tech skills courses.