![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/09\/CSRF-Attack-1024x535.png\" "\\"Mitigating")
<\/p>\n<\/p>\n
Cross-Site Request Forgery (CSRF) is a widely known web security vulnerability that enables a malicious user to induce another user(s)into performing unintended sensitive actions.<\/p>\n
If CSRF is exploited successfully, the attacker causes the victim to trigger a sensitive and\/or state-changing action unintentionally. They are not just limited to changing the email address on the victim\u2019s account, but also change the victim\u2019s password, and delete the victim’s account.<\/p>\n
![\"An](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/An-example-of-a-CSRF-attacks-flow.png\")
<\/p>\n
Image: An example of a CSRF attack\u2019s flow<\/p>\n
<\/p>\n
![\"CSRF](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/CSRF-exploit-PoC.png\")
<\/p>\n
Image: CSRF exploit PoC<\/p>\n
The most tried and tested way to defend against CSRF attacks is the inclusion of CSRF tokens within state-changing requests. A CRSF token is generally created on the server-side of the application which is a secretive and unique value that is later on transmitted to clients via a subsequent HTTP request created by them. When the latter request is created, the server validates the request that includes the expected token, but it rejects the request if the token is missing or invalid.<\/p>\n
The tokens help mitigate CSRF attacks by rendering it impossible for an attacker to forge a valid HTTP request suitable for exploiting the victim. As the attacker is not qualified to predict the value of the other user\u2019s token, they won\u2019t be able to generate a request with the required variable for the target application to receive it.<\/p>\n
These tokens are considered sensitive information and are managed securely throughout their life-cycle. The most common approach is to transfer the token to the client that is present in the hidden field of HTML form is by submitted it by POST method. It will then include the token as a request parameter when the form is submitted:<\/p>\n
<input type=”hidden” name=”csrf-token” value=”UseinNextRequest_rng123″ \/><\/em><\/p>\n Image: CSRF token in use<\/p>\n Secure implementation of CSRF tokens has the following properties:<\/p>\n <\/p>\n Image: CSRF token not mapped to a user session<\/p>\n <\/p>\n Consider the following example, where the original request uses the POST method. In this scenario, the server application validates the CSRF token only when the request method is POST.<\/p>\n POST \/email\/change HTTP\/1.1 csrftoken=UserA_rng123&email=user_a@null<\/span>test.local<\/a><\/p>\n In this situation, the attacker can change the request to GET method, for bypassing the validation and exploit the CSRF attack:<\/p>\n GET \/email\/change?email=hacked@null<\/span>test.local<\/a>HTTP\/1.1 <\/p>\n CSRF attacks are centered on exploiting the default browser behavior of including a website\u2019s session cookie(s) in cross-site requests. This allows an attacker to forge HTTP request(s) and induces the victim to trigger a sensitive and\/or state-changing action unintentionally.<\/p>\n Most Cross-Site Request Forgery (CSRF) attacks comprise a scenario in which the victim visits the attacker-controlled website and the attacker’s website triggers a state-changing HTTP request<\/a> to the vulnerable website. How cookies are submitted or whether they are submitted in cross-site requests can be controlled by the SameSiteattribute.<\/p>\n A web application can prevent the default browser behavior of automatically adding cookies to requests by setting the SameSite attribute on session cookies, regardless of the origin of the requests.<\/p>\n The server will issue the cookie when this is included in the Set-Cookie response. Strict or Lax. Are the given two values for the attributes.<\/p>\n Set-Cookie: SessionId=rng_123xD; SameSite=Strict;<\/p>\n Set-Cookie: SessionId= rng_123xD; SameSite=Lax;<\/p>\n The browser will not be including the cookies in any of the requests that are originating from a different site when the setting of the SameSite attribute is Strict. This is the most restrictive option, but it hinders the user experience. The user will not appear to be logged in when the user has used a third-party link to the site and will have to log in again. This scenario occurs when the attribute is set to Strict.<\/p>\n The browser will include cookies in a request that that originates from the other site if the SameSite attribute is configured to Lax, but there are two conditions to be followed:<\/p>\n Using SameSite cookies in Lax mode provides a partial defense against CSRF attacks, considering the hindrance caused because ofStrictSameSite cookies in many scenarios.<\/p>\n Besides CSRF tokens<\/a>, these cookies act as an additional defense mechanism that might help mitigate any lapse in implementing CSR tokens. However, it is not recommended to rely solely on SameSite cookies as a defense against CSRF attacks.<\/p>\n <\/p>\n If you would like to delve deeper into this topic, here are a few resources I recommend:<\/p>\n <\/p>\n Author,<\/p>\n Akshay Khilari<\/strong><\/p>\n Attack & PenTest Team<\/p>\n Varutra Consulting Pvt. Ltd.<\/p>","protected":false},"excerpt":{"rendered":" What is Cross-Site Request Forgery (CSRF)? Cross-Site Request Forgery (CSRF) is a widely known web security vulnerability that enables a malicious user to induce another…<\/p>\n","protected":false},"author":4,"featured_media":16905,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[272],"tags":[493,341,435],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t![\"Cross-Site](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/CSRF-token-in-use.png\")
<\/p>\n\n
Common flaws in CSRF token implementation<\/strong><\/h3>\n
Tokens are not mapped to the user\u2019s session<\/h4>\n
\n
![\"CSRF](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/CSRF-token-not-mapped-to-a-user-session.png\")
<\/p>\nToken validation relies on the request method<\/h4>\n
\nHost: popular-website.com
\nContent-Type: application\/x-www-form-urlencoded
\nCookie: session=rng123xD<\/p>\n
\nHost: popular-website.com
\nCookie: session= rng456xZ<\/p>\nDefense in depth with SameSite cookies<\/strong><\/h3>\n
\n
References and further reading<\/strong><\/h3>\n
\n