top of page
  • Facebook
  • Instagram
  • LinkedIn
  • X

Beware of the invisible click! Understanding CSRF Attacks

  • Writer: Bhupendra budha
    Bhupendra budha
  • Jan 26
  • 3 min read

CSRF is one of the web security vulnerabilities that lures the user into executing unwanted or malicious actions on a trusted website where the user has been authenticated. It is related to Broken Access Control but is categorized as an injection-based attack rather than a direct access issue.


The attack involves the exploitation of the trust between the website and the user’s browser session.


The actions might involve changing emails, passwords, submitting payments, etc.

CSRF was included in the OWASP Top 10 (2013) but was later removed in 2017 because most modern frameworks like Django, Laravel, etc., enforce CSRF protection by default. Moreover, Broken Access Control (A01:2021) covers broader authorization issues, including improper enforcement of CSRF protection.


CSRF Attack Demo


Let’s dive into the demonstration of a CSRF attack, where we will craft a malicious HTML page and lure a logged-in user into updating their email address without their consent.


Step 1: Understanding a Scenario

Imagine a banking site where users can change their credentials, such as their email address, while logged in. Normally, the user updates their email using the following form:


ree

The user's email address is updated successfully whenever the “Submit” button is pressed.

NOTE: We haven’t enforced CSRF protection for this demonstration.

Step 2: Exploitation

When the victim logs into their bank account (victim-bank.com), the website remembers their session using cookies, so the user doesn’t have to log in every time. During this time, the attacker can redirect the victim to a malicious page (attack-site.com).

Thus, the malicious site can secretly submit a fake request to the victim’s bank site, changing the victim’s email address.

The malicious site is designed to automatically send the request as soon as the victim visits it.

ree

This attack.html (attack-site.com/attack.html) is loaded on the attacker’s page, where the value="attacker@example.com" will be set automatically. Thus, the attacker exploits the existing session, improper tokenization of CSRF, etc., to perform the CSRF attack.

There are several ways to lure the victim into clicking the malicious site, including:✔ Phishing emailsFake social media posts/adsCompromised websites


Step 3: Preventing CSRF Attacks

One can prevent a CSRF attack by enforcing several security protocols, authentication mechanisms, and sanitization techniques.


I. CSRF Tokens: The server must include a unique CSRF token during every form submission. This ensures that the server can validate genuine form submissions from the user and reject requests from an attacker.

ree

II. SameSite Cookies (SameSite=Strict): Setting SameSite=Strict in the Set-Cookie field prevents cookies from being sent along with requests from other sites.

ree

III. Re-authentication: For every critical action (such as changing passwords or making transactions), the server must request re-authentication from the user (e.g., OTP or password confirmation).


IV. Request Validation & Secure Logout:

  • The server should validate whether the request originates from the same site.

  • Auto-logout inactive users to prevent attackers from exploiting existing sessions.



References


 
 
 

Comments

portrait_edited_edited.jpg

Hi, thanks for dropping by!

bottom of page