Learn About Cross-Site Request Forgery (CSRF) Attack

In this brief article, I will explain to you how the Cross-Site Request Forgery attack works in a very simple and easy-to-understand way.

 

We would cover the following topics:
  1. Introduction
  2. Use of HTTP Cookies
  3. How Cookies are Created
  4. Use of HTTP Authentication
  5. What is Cross-Site Request
  6. Steps in CSRF Attack
  7. Recommendation for Protection

 

1. Introduction

The CSRF attack works by exploiting existing authenticated user sessions. For example, user does not log out of a web portal and visit another site or opens another tab. So he browses another site while the authenticated session is still active.
First let me explain how websites maintain authenticated web sessions:
  • Use of HTTP Cookies
  • Use of HTTP Authentication Credentials (Authentication Tokens)
 

2. Use of HTTP Cookies

Cookies are text data that the web server sends to the browser. The browser keeps cookies on the client computer and attaches them to subsequent requests made to the web server that sent them.
 

3. How Cookies a Created

A cookies is created after a website has authenticated a user. In this case the website sends back a cookie that contains a ‘session ID’ that is unique to that user session. This is what is known as authentication cookie. So every request coming from the user with this authentication cookie is interpreted as coming from the user who has this session.

However, when a website sends a cookie to a browser, the website also provides and expires’ attribute together with other attributes. The expires attribute indicates the validity period of the cookie of which the cookie is deleted after thee validity period. If the expires attribute is lacking, then this type of cookie is known as session cookie and is normally deleted when the user closes the browser window. Cookies that comes with an expires field are known ‘persistent cookies’.

4. Use of HTTP Authentication

This is a somewhat more secure mechanism used in intranet environments and does not make user of cookies.  In this case, when a site is visited by a user, a popup is displayed that requests for user credentials. After the user submits the data, the credentials are encrypted and sent to the server using what is known as authorization request header.
When later the user visit other web pages in the same intranet, then the browser automatically sends the credentials along with the request in the Authorization header.

5. What is Cross-Site Request?

Cross-Site request occurs when a site contains a redirection to another site. In this case, a HTTP request sent to site A could also generate a HTTP request to site B. This is provided in form of hyperlinks in the first site.
So when a user clicks on link or button included in a web page, then the link may actually be directing an external website.

6. Steps of CSRF Attack

Generrally, the CSRF attack exploits the vulnerability of cross-site request for malicious intents. This is how it works:

  • User visits his banks website(mybank.com) and does a transaction.
  • He visits another website hacker.com without logging from his banking portal
  • Hacker.com creates and submits a request to mybank.com using the users active session. On sending this request, the user’s browser attaches the valid authentication cookie to the request
  • The mybank.com website interprets this request as coming from the user and processes it.

 

At this point, the hacker.com website takes over subsequent communication with mybank.com so long as the cookie is active. This is illustrated in Figure 2
Figure 2: How CSRF Work

 

7. Recommendations for Protection

Since this article is for everyone, I would not discuss the the defenses in this article against CSRF as these would require some technical details. I would however like to make the following recommendation which applies to everyone to help you ensure some security.
  • always ensure you log out after using a secure application
  • close the browser window after using a secure application such as you banking website.
  • shut down your system at least everyday as this erases the cookies stored in the system.