If you answered “I don’t know what CSRF is”, no problem. We got you covered.
What is CSRF?
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated.OWASP
For this post we have again a great video of PwnFunction where he explains what CSRF is and shares some tips & tricks on how to successfully exploit CSRF.
Some key takeaways:
- Same-Origin Policy does not protect against CSRF
- Use anti-CSRF tokens to protect your site against CSRF
EXTRA: A tutorial by Troy Hunt, “Understanding CSRF, the video tutorial edition“.
Even though CSRF requires user interaction the impact can be quite severe like for example an account takeover. The impact of CSRF is limited to the functionality of the application (changing data, creating/placing content, …).
An example of CSRF with no real security impact is adding items to someone else’s shopping cart. This also goes for login & logout CSRF, but that doesn’t mean they can’t be used to chain bugs to achieve real impact.
Facebook CSRF protection bypass which leads to Account Takeover gaining a bounty of $25000 (by Samm0uda)
How I could have hijacked a victim’s YouTube notifications! (by Yash Sodha)
Time for practice!
A must read including exercises Web Security CSRF by Portswigger.
It is not because there seems to be CSRF protection that it can’t be bypassed. A CSRF challenge by zseano “There’s cross site request forgery (CSRF) protection, but how good is it?“.
How to prevent CSRF?
Maybe CAPTCHA prevents CSRF? Think again, “CAPTCHA does not prevent cross-site request forgery (CSRF)” (by Linus Särud).
But how do I prevent CSRF then?
- Implement an anti-CSRF token
- Use the Same-Site cookie attribute, it is easy to implement and supported by all major browsers. “Same-site cookies (née “First-Party-Only” (née “First-Party”)) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.” (https://www.chromestatus.com/feature/4672634709082112)
When you are using CSRF tokens but you don’t check them server side
Simple & easy explanation about Cross-Site Request Forgery by Computerphile