CROSS-SITE REQUEST FORGERY (CSRF/XSRF)

this is an attack that forces an end-user to execute inadvertent actions on a web application in which they are currently authenticated. this is usually mounted with the help of attacker-crafted web pages that the victim must visit or interact with, leveraging the lack of anti-CSRF security mechanisms. these web pages contain malicious requests that essentially inherit the identity and privileges of the victim to perform an undesired function on the victim's behalf. a csrf attack that successfully targets regular users can only compromise regular data; however, an entire webapp can be compromised if an administrative privileged user becomes compromised. below are the characteristics of web apps that are vulnerable to csrf and the requirements to successfully exploit a csrf vulnerability. applications that feature no anti-CSRF protections can be easily bypassed.

REQUIREMENTS

webapp vulnerability

• All the parameters required for the targeted request can be determined or guessed by the attacker

• The application's session management is solely based on HTTP cookies, which are automatically included in browser requests

successful csrf exploitation

• Craft a malicious web page that will issue a valid (cross-site) request impersonating the victim

• The victim to be logged into the application at the time when the malicious cross-site request is issued

MITIGATION

To prevent CSRF vulnerabilities, ensure user authorization for each function request and implement security tokens (Synchronizer Token Pattern) for sensitive operations. Additional protections include Referrer header checking, verifying page access order, and using two-step confirmations. Using the SameSite attribute for cookies also strengthens CSRF defenses. These methods should be used together for optimal protection. refer to the following resource for more in-depth details around

• implement anti-csrf protections such as same origin/same site protections

  • although this protection prevents csrf attacks, this can be bypass. e.g., a request through XSS will bypass any same origin/same site protection since it will derive from the same domain!

• ensure anti-csrf protections can't be easily bypassed