Tag: CSRF

Hello, aspiring ethical hackers. In our previous blogpost on web application hacking, we learnt about different kind of vulnerabilities in web applications. In this article, you will learn about Cross-Site Request Forgery (CSRF) vulnerability, one of the dangerous vulnerabilties affecting web applications. Cross-Site Request Forgery (CSRF) is a common web application vulnerability that allows attackers to trick a user’s browser into performing unwanted actions on a website where the user is already authenticated. As the request is sent from the victim’s browser with their existing session cookies, the web application often treats the request as legitimate.

For beginners in cybersecurity or web security, CSRF is an important concept to understand because it highlights how trust between a user’s browser and a website can be abused.

What is Cross-Site Request Forgery (CSRF)?

CSRF occurs when a malicious website, email or script tricks a user into sending a request to another website where they are currently logged in. Since web applications rely heavily on session cookies to identify authenticated users, the browser automatically includes those cookies in every request sent to the site. This means that if a victim is logged into a website, any request sent from their browser to that site will appear legitimate.

An attacker exploits this behavior by creating a malicious request that performs an action on behalf of the victim.

How CSRF Attacks Work?

CSRF attacks work by exploiting the trust that a website or web application has on a user’s browser. When a user is logged into a website, the website creates a session for that user, which includes a unique session ID. This session ID is stored in a cookie on the user’s browser and is sent to the website with every subsequent request made by the user.

An attacker who wants to execute a CSRF attack needs to trick the victim user into submitting a request to the target website that includes the victim’s session ID. This can be accomplished in a number of ways, including by embedding a malicious form or link on a third-party website or by sending a malicious email or message to the victim user.

Once the victim user submits the request with their session ID, the website will process the request as if it came from the user directly. This can allow the attacker to execute actions on behalf of the victim user, such as changing their account information, making purchases, or transferring funds.

A Simple Example

Imagine a user is logged into their online banking account. The bank’s website allows users to transfer money using a request similar to this:

https://bank.com/transfer?amount=500&to=attacker_account

If the application does not properly verify that the request is legitimate, an attacker could create a malicious webpage containing something like:

<img src="https://bank.com/transfer?amount=500&to=attacker_account">

When the victim visits the malicious page, their browser automatically sends the request to the bank. Because the victim is already logged in, the request includes their session cookies. The bank processes the request as if the victim initiated it. As a result, money could be transferred without the user realizing it.

Other examples of CSRF attacks include changing a user’s password or email address, making purchases or subscriptions without the user’s knowledge or consent and performing unauthorized actions on social media accounts.

Why CSRF Works?

CSRF attacks rely on three main conditions. They are,

1. The victim is authenticated

The user must already be logged into the target website.

2. The application trusts the browser

The web application assumes any request containing a valid session cookie is legitimate.

3. No request validation is implemented

If the application does not verify the origin or authenticity of requests, it becomes vulnerable. As browsers automatically include cookies with requests, attackers can exploit this behavior to perform actions such as:

• Changing account settings
• Submitting forms
• Performing financial transactions
• Adding or deleting data

Common Targets of CSRF

CSRF attacks typically target functionality that performs important actions, such as:

• Password changes
• Email address updates
• Money transfers
• Posting messages or comments
• Administrative actions in web panels

If these actions rely only on session cookies for authentication and lack additional validation, they may be vulnerable.

Real-World Examples

Although CSRF may appear simple, its consequences can be serious. Attackers may be able to:

• Modify account information
• Perform unauthorized financial transactions
• Abuse administrative privileges
• Trigger unwanted actions in web applications

Historically, many popular websites were vulnerable to CSRF before proper protections became widely adopted. Let’s see some real-world examples.

1. Twitter Bug Bounty Program:

In 2018, a security researcher discovered a CSRF vulnerability in the Twitter Ads platform. The vulnerability allowed an attacker to create and launch an advertising campaign on behalf of the victim without their knowledge. The researcher reported the vulnerability to Twitter, who promptly patched the issue and awarded the researcher a $3,000 bounty.

2. Starbucks Gift Card Theft:

In 2015, security researchers discovered a vulnerability in the Starbucks gift card registration process that allowed attackers to steal gift card balances. The vulnerability was caused by a lack of CSRF protection, which allowed attackers to change the email address associated with a gift card and then transfer the balance to their own account. The researchers notified Starbucks of the vulnerability, and the company promptly patched the issue.

3. Google Drive CSRF Attack:

In 2016, security researchers discovered a CSRF vulnerability in Google Drive that allowed attackers to steal sensitive user data, including email addresses and contact lists. The vulnerability was caused by a lack of anti-CSRF tokens, which allowed attackers to execute unauthorized actions on behalf of the user. Google was notified of the vulnerability and quickly patched the issue.

These are just a few examples of the devastating consequences of CSRF attacks.

CSRF vs XSS

Beginners often confuse CSRF with Cross-Site Scripting (XSS), but they are entirely different. Here is the main difference between them.

Interestingly, XSS vulnerabilities can sometimes bypass CSRF protections by stealing tokens.

How to Prevent CSRF vulnerabilities?

Fortunately, CSRF vulnerabilities are well understood and can be mitigated with several defensive techniques.

1. CSRF Tokens:

The most common defense is the use of CSRF tokens. A CSRF token is a unique, unpredictable value generated by the server and included in forms or requests. When the request is submitted, the server verifies the token. Because attackers cannot predict or access this token, malicious requests fail validation.

Example concept:

<form>
  <input type="hidden" name="csrf_token" value="random_secure_value">
</form>

The server checks the token before processing the request.

2. SameSite Cookies:

Modern browsers support the SameSite cookie attribute, which helps prevent CSRF attacks. When enabled, cookies are not sent with requests originating from external websites.

Example:

Set-Cookie: sessionid=abc123; SameSite=Strict

This reduces the risk of cross-site requests using authentication cookies.

3. Checking Request Origin:

Applications can also validate the Origin or Referer header to confirm that requests come from trusted sources. If the request originates from an unexpected domain, the server can reject it.

4. Re-authentication for Sensitive Actions:

For critical operations such as password changes or financial transactions, applications often require users to:

• Re-enter their password
• Confirm via multi-factor authentication (MFA)

This adds another layer of protection against unauthorized requests.

Conclusion

CSRF is a powerful example of how web applications can unintentionally trust user browsers too much. By abusing existing authentication sessions, attackers can trick users into performing actions they never intended.

The good news is that CSRF vulnerabilities are preventable through proper security controls such as CSRF tokens, SameSite cookies, and request validation. For developers and security professionals alike, understanding CSRF is essential for building secure web applications and protecting users from hidden attacks.