What is Cross-site request forgery (CSFR)?

Cross-site request forgery (CSFR) is a web security vulnerability that enables an attacker to capitalize on a website user’s authenticated session to carry out malicious actions through the user that the user did not intend to execute. To do so, the attacker tricks the user into accessing a hidden URL or script that will submit a malicious request to the website. These unwanted requests can change the user’s passwords, share confidential information with the attacker, and even transfer funds from a user to the attacker without the user’s intent.

How does CSRF work?

CSRF attacks rely on the fact that session authentication is done through HTML cookies. Since a website validates user requests through these cookies, any privileged action can be carried out in an authorized session. So, as long as a user is authenticated and the attacker can induce them to carry out unwanted requests without knowing any request parameters, CSRF attacks can be initiated.

Let’s look at an example to understand the attack more clearly. Suppose a user visits a commercial website that sells shoes online. What the user does not know is that this website is vulnerable. The user then clicks on a link they think will lead to a trending set of heels, however, the <a> tag the user accesses actually looks like this:

<a href="http://edbank.com/transfer.do?acct=MALICE&amount=＄5000000">Heels Trending Now!</a>

So, when the user accesses the link, an authenticated HTTP request is sent to edbank.com that transfers $5000000 from the user’s account to the attackers Malice account without the user even knowing!

Similar attacks can be set up with other HTML tags and methods as well.

How to prevent CSRF attacks?

Needless to say, CSRF attacks are a big threat to users and websites. Luckily, with some awareness, both parties can guard against these attacks.

Users can do so by logging out of any idle websites and avoiding simultaneous browsing so that no authenticated webpage can be misused by an attacker. Users can also put effort into setting secure passwords and keeping them safe by disabling the storage in their web browsers.

Websites can secure themselves against CSRF attacks in two main ways: using CSRF tokens and CAPTCHAs. CSRF tokens are the most robust known way to counter CSRF attacks. These tokens are secret, randomized values produced by a web server for each session. Once these tokens are transmitted to clients, all subsequent HTTP requests from the client are validated against these values. Without this validation, the server should not execute any action. CSRF tokens ensure security against CSRF attacks since they are generated to be highly unpredictable and change frequently.

The second way for websites to protect against CSRF attacks are with CAPTCHAs and alert messages. Before any privileged action is about to be carried out, the website should be designed to display an alert or confirmation message to inform the user of the action. A small CAPTCHA challenge can go one step further and ask the user to solve the CAPTCHA challenge to confirm the action. This will remove the chance of bots confirming the action.