facebook social icon
x social icon
linkedin social icon
Hardening web applications

Cybersecurity Series: What is cross-site request forgery (CSRF) and how to defend against it

August 31, 20224 min read

Cybersecurity

In our second article of this cybersecurity series, we will be taking a look to Cross-site request forgery (CSRF). As a password manager, TeamPassword takes pride in maintaining your password data secured from attackers, but passwords managers alone cannot keep you safe. It is necessary to be aware of the main attack vectors that hackers may use to exploit cybersecurity vulnerabilities and be mindful of them while browsing the Internet.

What is cross-site request forgery and how can you defend against it?

Table of Contents

    How does CRSF work? 

    Cross-site request forgery, abbreviated as XSRF or CSRF, is an attack that attempts to have users unknowingly execute actions on a web application for which they are currently authenticated. This attack is similar to the Cross-site scripting attacks (XSS), but it exploits a different type of trust: the trust that a web application has in an authenticated user.

    Using this type of attack, the hacker could, for example, change the user's email address or password in the vulnerable web application, transfer funds from the user's bank account, or gain control over the user's account.

    For the CRSF to work, four conditions need to happen:

    1. Cookie-based session handling.

    By definition, a cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time. Every time we log into a web application, a cookie is sent automatically to our browser so that the web application can verify our login. This way, we will be authenticated by this web application and we can take any actions we want within it. 

    2. No unpredictable request parameters.

    The action request (for example, changing the user's email address) does not contain any parameters whose values will be unknown to the attacker. 

    3. The user clicks the malicious URL.

    This is usually done by social engineering to trick the victim into clicking the URL that the attacker carefully crafted. Once clicked, the action request will be triggered without the user knowing it.

    4. The user must be logged in to the vulnerable web application.

    If the user is logged in to a vulnerable web application, the attacker can use the CRSF attack to exploit it, so it is always safer to log out before browsing the Internet.

    An Example of a CSRF Attack

    For example, let's say the user has logged in to an online banking web application. The user's browser will now have a session cookie that authenticates it in that web application.

    The user decides to browse their favorite forum while being logged into that web application. There, they stumble upon an interesting post with a link, and they click it. The link looked like this, but he didn't notice it at the time:

    <a href="http://vulnerable-bank.com/transfer_funds?acct=JOSE&amount=3000">Check it out!</a>

    Without them knowing, clicking the link has triggered a request action that sends the user's funds to the attacker's bank account.

    The request might look like this:

    POST /transfer_funds HTTP/1.1
    Host: vulnerable-bank.com
    Content-Type: application/x-www-form-urlencoded
    Cookie: SessionID=d3yght4s6
    
    acct=JOSE
    amount=3000

    How to prevent CSRF attacks?

    Prevention by End Users

    Although CSRF is fundamentally a problem with the web application, there are two main actions that end users can take to protect themselves:

    1. Before clicking on a link, always double-check that it leads you to a trustworthy website and that is not triggering any action you might not want to take.

    2. Remember to log off the website before visiting another, or clear the browser's cookies at the end of each session.

    Prevention by Web Developers

    For the software application itself, there are several ways to harden it to prevent this type of attack:

    1. Use secure tokens that the attacker would not know to embed in the link. The best way to achieve this is through a CSRF token. A CSRF token is a secure random token that is used to prevent CSRF attacks. An approach that is normally effective is to transmit the token to the client within a hidden field of an HTML form that is submitted using the POST method. The token will then be included as a request parameter when the form is submitted:

    <input type="hidden" name="csrf-token" value="{{ csrf_token }}" />
    

    2. Check the referring URL in requests received from end users and only accept requests originating from their own site.

    Conclusion

    Web applications are complex ecosystems, which makes it important for cybersecurity professionals to harden them against any type of attack. As an end user, it is always good to use reliable applications with certified security, especially if the application handles valuable data for you or your organization. At TeamPassword, we take security seriously, as we are the custodians of important password data. Join the hundreds of companies that trust us, and rest easy knowing that your data is in the right place.

    Enhance your password security

    The best software to generate and have your passwords managed correctly.

    Images of the TeamPassword mobile and desktop apps
    Quotes Icon

    Andrew M.

    Andrew M.

    VP of Operations

    "We use TeamPassword for our small non-profit and it's met our needs well."

    Get Started

    Table Of Contents

      Related Posts
      Different icons representation malicious actors, a broken lock, wifi, and gears interconnected in the foreground with a man in a suit in the background

      Cybersecurity

      May 13, 202513 min read

      10 Types of Cyberattacks Recently Used by Hackers (2025)

      Knowledge is the best defense. In this article, we discuss how each attack works and provide tips on ...

      Woman facial recognition biometrics

      Cybersecurity

      May 11, 202510 min read

      What are the Types of Biometrics?

      The term "biometrics" gets thrown around a lot. But what counts as a biometric identifier? What are the ...

      Apples on branches in sunlight

      Cybersecurity

      May 6, 20255 min read

      How Credential Stuffing Exploits Poor Password Hygiene

      Still using "appletree" or "poochie726" for passwords? Learn why even "strong" reused passwords make you vulnerable to credential ...

      Never miss an update!

      Subscribe to our blog for more posts like this.

      Promotional image