CSRF or cross-site request forgery, also known as one click attack or session riding attack or XSRF. It is a web security vulnerability that allows a user to perform unwanted actions on a web application in which they are currently authenticated. An attacker with the help of social engineering may trick the user to perform actions of the attacker’s choosing.
The successful CSRF attack may lead the victim user to change the email address of the account, transferring funds or money, changing of the password, making a purchase without consent and so on on a web application in which the user (victim) is currently authenticated. In some cases, attackers might be able to gain full control or access over the victim’s account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application's data and functionality as well.
The pre-conditions to successfully exploit a CSRF (Cross-Site Request Forgery) as follows:
The victim must be authenticated or logged in in the target application.
Lack of anti-CSRF tokens and protection.
The attacker must trick the victim into clicking on a malicious link or visiting a web page or fake website under the attacker’s control.
Cookie based session handling.
The attacker needs to predict or guess the parameters of the request.
CSRF attacks are more effective when the attacker performs some sensitive or relevant actions on behalf of the victim. Actions like changing passwords, transfering funds and so on.
Following are the mitigation against CSRF:
Include and implement unique and random tokens in each form or request that requires user action. These tokens should be validated on the server to verify that the request is legitimate.
Set the Same-Site cookie attributes to “Strict” or “Lax”.
Verify the Referer or Origin header on the server to ensure that the request originates from the authorized source.
Include the custom headers in the request and validate them on the server side. This acts as an extra layer of security against CSRF attacks.
Send a cookie value along with the request and also store it in a separate HTTP-only cookie. The server can compare the two values to determine the authenticity of the request.
Implement Content Security Policy (CSP) , X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection headers to enhance the overall security against CSRF attacks.
Use proper HTTP request methods. Use POST requests instead of GET for sensitive actions.
Implementation of CAPTCHA challenges can make it more challenging for CSRF attacks to succeed.
Follow secure coding practices, sanitize and validate the user inputs, and use frameworks and libraries with built-in CSRF protection.
Conduct regular security assessments, including penetration testing and code review to identify and fix potential CSRF vulnerabilities.
Helpful resources: