CSRF Attack and Measures to Prevent it

In the previous article, we talked about CORS, and how it enhances web security. However, CORS alone is not enough to protect against some type of attacks such as CSRF. In this article, we’re going to talk about what CSRF attack is, and what are some measures taken in order to prevent it.

What is CSRF Attack

CSRF (Cross site request forgery) where attackers could send fake requests from the victim’s browser to other applications. CSRF can also send fake requests from a different domain using the user’s data.

CSRF Attack

The figure depicts how csrf attack works. The attacker deceives to the victim to click on a given link. The page of the attacker’s website, contains a form that has an action towards the victim’s account. Since the victim is authenticated, their credentials (cookies are automatically sent with request) will be sent along with the attacker’s request, and the harmful action to their account will take place. The harmful action can be anything, such as depositing money to the attacker’s account, deleting some data of the victim, changing their email to the attacker’s email, etc.

Fortunately, some measures have been taken in order to prevent CSRF attack.

Some measures to confront CSRF

• CSRF token: A token that is generated by the server when the user logs in. The token is typically associated with the user’s session, and once the user logs out or the session expires, the CSRF token gets regenerated again upon the next login. The server stores the CSRF token in the html input field, and the type is hidden. CSRF token can be stored in several places such as cookies, session and local storage, etc. The most common storage place is however, the input field in html as it is sent automatically when the form is submitted by the user. The server will match the CSRF token with the user’s session, if it’s matching, the request will be accepted, it will be rejected otherwise. When the attacker tries to do CSRF attack, their CSRF token is missing and hence their malicious request will be rejected by the server.

CSRF Token Generation

• Some techniques can be used to prevent attackers injecting scripts and access html elements (such as the input that contains the CSRF token), the common is Content Security Policy (CSP).With this CSP directive set to Strict, inline scripts will not be allowed, and only scripts loaded from the same origin will be permitted. This helps prevent attackers from injecting malicious scripts into the page and accessing sensitive elements such as hidden input fields containing CSRF tokens.
• same-site attribute in cookies: Cookies are typically sent by the browser in every request. When the developers set Set-Cookie: session=example_session_id; SameSite=Strict; Secure It means that the cookies are only sent with requests to the same domain, and not to cross origin domains, i.e, when the attacker trying to make the CSRF request, which generally invovles sending a link to the victim, and when the victim clicks the link, their forged request will be submitted, the credentials of the victim will not be sent due to same-site set to strict. Note that Secure attribute must be set as well, otherwise you’ll receive an error. the same-site attribute alone is not enough as old browsers don't support it, and it works in the case the attacker sends a malicious link to the victim, there’s still the case when the attacker tries to attack the victim without the link. You can check more about same-site attribute in the mdn official documentation here.
• Referer Policies: It is in the HTTP header and indicates the URL from which the requests comes. It can be a specific webpage being viewed by the user, a URL that the user navigated from, or the address of a resource being accessed by the webpage. Understanding the origin of the request helps servers process and respond to requests appropriately, as well as enforce security measures to protect against potential threats and vulnerabilities (such as CSRF attacks). Besides, When a user clicks a link or submits a form on a webpage to access another webpage, the browser includes the URL of the previous page in the Referer header of the request for the new page. This allows website owners to track and analyze the sources of their traffic, such as search engines, social media platforms, or other websites. Also, by analyzing the Referer header, website owners can gain insights into how users navigate through their website and where they come from before accessing specific pages. This information is valuable for optimizing website layout and content, identifying popular entry points, and understanding user behavior patterns. The referrer is also used for access control in such a way that it enforces access control policies and restricts access to certain resources based on the source of the request. For example, a website might only allow requests for certain resources if they originate from specific trusted domains, while blocking requests from unauthorized sources to prevent hotlinking or unauthorized access. Finally, Some websites use the Referer header to customize the content or user experience based on the user’s previous interactions. For instance, an e-commerce website might display related products or personalized recommendations based on the referring page or the user’s browsing history.

That’s all for this article, I hope you enjoyed reading it, and you know what CSRF attack is and what are the different measures to use in order to prevent it 😉 👍. If you want to understand another security fundamental, CORS, check out this article about CORS. Happy reading 😊😉✨!