CSRF was ranked 5th in the OWASP 2010 and dropped to the 8th place in the OWASP 2013. Now it’s not present anymore in the OWASP 2017. Do you think that CSRF is dying out?

 

If you answered “I don’t know what CSRF is”, no problem. We got you covered.

What is CSRF?

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. 

OWASP

For this post we have again a great video of PwnFunction where he explains what CSRF is and shares some tips & tricks on how to successfully exploit CSRF.


Some key takeaways:

  • Same-Origin Policy does not protect against CSRF
  • Use anti-CSRF tokens to protect your site against CSRF
  • POST request with JSON data? Try to exploit it using Flash or by forging a form (Content-Type must be ignored on the server) or via javascript (specific CORS rules must be set)

EXTRA: A tutorial by Troy Hunt, “Understanding CSRF, the video tutorial edition“.

Impact

Even though CSRF requires user interaction the impact can be quite severe like for example an account takeover. The impact of CSRF is limited to the functionality of the application (changing data, creating/placing content, …).
An example of CSRF with no real security impact is adding items to someone else’s shopping cart. This also goes for login & logout CSRF, but that doesn’t mean they can’t be used to chain bugs to achieve real impact.

An example on how login CSRF can be misused by using it in combination with another bug (by Ron Chan)

Facebook CSRF protection bypass which leads to Account Takeover gaining a bounty of $25000 (by Samm0uda)

How I could have hijacked a victim’s YouTube notifications! (by Yash Sodha)

A write-up by one of our researchers, @MattiBijnens who found a CSRF issue in one of our programs.

Combining 3 minor issues to to achieve Reflected-XSS (by Jack)

Not a write-up but an example of how CSRF has been exploited on routers.

Time for practice!

A must read including exercises Web Security CSRF by Portswigger.

It is not because there seems to be CSRF protection that it can’t be bypassed. A CSRF challenge by zseano “There’s cross site request forgery (CSRF) protection, but how good is it?“.

How to prevent CSRF?

Maybe CAPTCHA prevents CSRF? Think again, “CAPTCHA does not prevent cross-site request forgery (CSRF)” (by Linus Särud).

But how do I prevent CSRF then?

  • Implement an anti-CSRF token
  • Use the Same-Site cookie attribute, it is easy to implement and supported by all major browsers. “Same-site cookies (née “First-Party-Only” (née “First-Party”)) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.” (https://www.chromestatus.com/feature/4672634709082112)

When you are using CSRF tokens but you don’t check them server side

CSRF prevention cheat sheet by OWASP.

Specially for our .NET developers, a post about CSRF in .NET by Troy Hunt.

Want more?

A blog post about “SameSite cookies in practice” by literallybenjamin

Simple & easy explanation about Cross-Site Request Forgery by Computerphile

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.