CSRF
Update: December 2022
I mostly learned about the CSRF vulnerability and attack methods using PortSwigger Academy.
Description
CSRF stands for Cross-site Request Forgery. CSRF occurs when a malicious actor induces the victim to perform an action on a web application on which he is authenticated to without his intention. This attack might require the use of social engineering since the victim often need to click on a link or a button for the undesirable action to occur. The malicious request can be sent through email or chat.
A CSRF attack can be conducted using GET and POST.
Impacts
Entirely depends on the request being object of the CSRF attack and the functionalities of the web application.
Ex: Account takeover, post on social media, change in user settings, ordering to a specific address, etc.
Conditions
Three conditions absolutely need to be met to conduct a successful CSRF attack:
Relevant action to be taken by the victim (change password, email modification, fund transfer, change account settings, etc).
The application only relies on the cookies being valid to grant the user the right to perform an action.
No unpredictable parameters in the request or header like an anti-CSRF token or the victim password.
Example of a CSRF Payload
This payload is an .html form that is hosted on the attacker server. When the victim is tricked to access the malicious.html file, a POST request is sent automatically to change the user profile information for the xss.htb.net web application. The email linked to the victim account will be set to an arbitrary email chosen by the attacker.
Mitigation
The most common defense against CSRF attack is the use of a CSRF token. CSRF token are generated server-side and takes the form of a long string of random characters. Every state changing request should have a CSRF token attached to it. When the request is sent by the user, the server validate the CSRF token attached with the request. If the validation failed, the server should invalidate the request. This prevent an attacker to forge malicious requests since the CSRF token is not known by the attacker.
CSRF token should be
Unpredictable
Kept secret
Protected from leakage via URL or access logs
Unique per user session
Last updated