Enhance your password security.

Get Started
CTA icon
Hardening web applications

Cybersecurity Series: What is cross-site request forgery (CSRF) and how to defend against it

August 31, 20224 min read

Cybersecurity

In our second article of this cybersecurity series, we will be taking a look to Cross-site request forgery (CSRF). As a password manager, TeamPassword takes pride in maintaining your password data secured from attackers, but passwords managers alone cannot keep you safe. It is necessary to be aware of the main attack vectors that hackers may use to exploit cybersecurity vulnerabilities and be mindful of them while browsing the Internet.

What is cross-site request forgery and how can you defend against it?

How does CRSF work? 

Cross-site request forgery, abbreviated as XSRF or CSRF, is an attack that attempts to have users unknowingly execute actions on a web application for which they are currently authenticated. This attack is similar to the Cross-site scripting attacks (XSS), but it exploits a different type of trust: the trust that a web application has in an authenticated user.

Using this type of attack, the hacker could, for example, change the user's email address or password in the vulnerable web application, transfer funds from the user's bank account, or gain control over the user's account.

For the CRSF to work, four conditions need to happen:

1. Cookie-based session handling.

By definition, a cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time. Every time we log into a web application, a cookie is sent automatically to our browser so that the web application can verify our login. This way, we will be authenticated by this web application and we can take any actions we want within it. 

2. No unpredictable request parameters.

The action request (for example, changing the user's email address) does not contain any parameters whose values will be unknown to the attacker. 

3. The user clicks the malicious URL.

This is usually done by social engineering to trick the victim into clicking the URL that the attacker carefully crafted. Once clicked, the action request will be triggered without the user knowing it.

4. The user must be logged in to the vulnerable web application.

If the user is logged in to a vulnerable web application, the attacker can use the CRSF attack to exploit it, so it is always safer to log out before browsing the Internet.

An Example of a CSRF Attack

For example, let's say the user has logged in to an online banking web application. The user's browser will now have a session cookie that authenticates it in that web application.

The user decides to browse their favorite forum while being logged into that web application. There, they stumble upon an interesting post with a link, and they click it. The link looked like this, but he didn't notice it at the time:

<a href="http://vulnerable-bank.com/transfer_funds?acct=JOSE&amount=3000">Check it out!</a>

Without them knowing, clicking the link has triggered a request action that sends the user's funds to the attacker's bank account.

The request might look like this:

POST /transfer_funds HTTP/1.1
Host: vulnerable-bank.com
Content-Type: application/x-www-form-urlencoded
Cookie: SessionID=d3yght4s6

acct=JOSE
amount=3000

How to prevent CSRF attacks?

Prevention by End Users

Although CSRF is fundamentally a problem with the web application, there are two main actions that end users can take to protect themselves:

1. Before clicking on a link, always double-check that it leads you to a trustworthy website and that is not triggering any action you might not want to take.

2. Remember to log off the website before visiting another, or clear the browser's cookies at the end of each session.

Prevention by Web Developers

For the software application itself, there are several ways to harden it to prevent this type of attack:

1. Use secure tokens that the attacker would not know to embed in the link. The best way to achieve this is through a CSRF token. A CSRF token is a secure random token that is used to prevent CSRF attacks. An approach that is normally effective is to transmit the token to the client within a hidden field of an HTML form that is submitted using the POST method. The token will then be included as a request parameter when the form is submitted:

<input type="hidden" name="csrf-token" value="{{ csrf_token }}" />

2. Check the referring URL in requests received from end users and only accept requests originating from their own site.

Conclusion

Web applications are complex ecosystems, which makes it important for cybersecurity professionals to harden them against any type of attack. As an end user, it is always good to use reliable applications with certified security, especially if the application handles valuable data for you or your organization. At TeamPassword, we take security seriously, as we are the custodians of important password data. Join the hundreds of companies that trust us, and rest easy knowing that your data is in the right place.

facebook social icon
twitter social icon
linkedin social icon
Enhance your password security

The best software to generate and have your passwords managed correctly.

TeamPassword Screenshot
Recommended Articles
Uber Breach 2022

Cybersecurity

September 27, 20227 min read

The 2022 Uber Breach

2022 has been a year of tech giants getting breached. Human culpability continues to be, for the most ...

Ones and zero code in green with "XSS" in orange and centered on the page representing an XSS attack.

Cybersecurity

July 19, 20226 min read

Cybersecurity Series: What is cross-site scripting (XSS) and how do you defend against it

Cross-site scripting or XSS place malicious scripts on trusted websites, creating security vulnerabilities where the are least expected. ...

Person typing on laptop with icons for the world wide web, a chart showing progress, shopping cart, credit card, delivery truck, and dollar sign.

Business

July 14, 20227 min read

How To Secure Your Online Business Against Cyberattacks?

Online businesses can be lucrative, but they come with the risk of cyberattacks. How can you ensure online ...

The Password Manager for Teams

TeamPassword is the fastest, easiest and most secure way to store and share team logins and passwords.