What is Cross-Site Request Forgery?
Cross-site request forgery (CSRF) cyberattacks are common web application vulnerabilities that take advantage of the trust that a website has already granted a user and their browser by tricking the web browser into executing an unwanted action in an application that the user is already logged in to. CSRF cyberattacks are also known by the names: XSRF, “sea surf”, session riding, hostile linking, and reference forgery. A CSRF cyberattack is often conducted using social engineering techniques to manipulate an authenticated user into executing malicious actions without their awareness or consent, often by clicking on email or SMS message link that tricks the user into sending a forged request to a server. Since the user’s identity has already been authenticated by their login at the time of the cyberattack, the cyberattacker can use the user’s account to change passwords, steal sensitive personal information, steal confidential data, transfer funds, or, if the user is a web administrator with broad access privileges, compromise the entire application.
In some cases, CSRF cyberattacks are stored directly on vulnerable sites, which is referred to as a CSRF flaw. A cyberattacker creates a CSRF flaw by storing an IMG or IFRAME tag in an HTML field, or by conducting a cross-site scripting attack. Users who are already authenticated on a website are extremely vulnerable to a CSRF flaw as they are 1) likely to trust the website and 2) are also vulnerable to CSRF cyberattacks because they are already authenticated.
There are a number of effective methods for user CSRF prevention and mitigation:
- Log off of web applications when they are not in use
- Secure usernames and passwords
- Do not allow browsers to remember passwords
- Avoid browsing while logged into an application
- Do not click on links in emails or messages
- Check if your framework has built-in CSRF protection and use it1
- Consider the use of custom request headers
- Consider verifying the origin with standard headers
To prevent and mitigate CSRF cyberattacks on web applications:
- Generate random tokens for every session request or ID; the token should be unpredictable with high entropy, tied to the user’s session, and strictly validated in every case before the relevant action is executed
- Block session requests with duplicate tokens or missing values
- Double-submit cookies
- Regularly scan and test security of web applications
- Use custom security policies aimed at CSRF cyberattack prevention
1 OWASP, 2022, “Cross-Site Request Forgery Prevention Cheat Sheet”