In our second article of this cybersecurity series, we will be taking a look to Cross-site request forgery (CSRF). As a password manager, TeamPassword takes pride in maintaining your password data secured from attackers, but passwords managers alone cannot keep you safe. It is necessary to be aware of the main attack vectors that hackers may use to exploit cybersecurity vulnerabilities and be mindful of them while browsing the Internet.

What is cross-site request forgery and how can you defend against it?

How does CRSF work? 

Cross-site request forgery, abbreviated as XSRF or CSRF, is an attack that attempts to have users unknowingly execute actions on a web application for which they are currently authenticated. This attack is similar to the Cross-site scripting attacks (XSS), but it exploits a different type of trust: the trust that a web application has in an authenticated user.

Using this type of attack, the hacker could, for example, change the user's email address or password in the vulnerable web application, transfer funds from the user's bank account, or gain control over the user's account.

For the CRSF to work, four conditions need to happen:

1. Cookie-based session handling.

By definition, a cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time. Every time we log into a web application, a cookie is sent automatically to our browser so that the web application can verify our login. This way, we will be authenticated by this web application and we can take any actions we want within it. 

2. No unpredictable request parameters.

The action request (for example, changing the user's email address) does not contain any parameters whose values will be unknown to the attacker. 

3. The user clicks the malicious URL.

This is usually done by social engineering to trick the victim into clicking the URL that the attacker carefully crafted. Once clicked, the action request will be triggered without the user knowing it.

4. The user must be logged in to the vulnerable web application.

If the user is logged in to a vulnerable web application, the attacker can use the CRSF attack to exploit it, so it is always safer to log out before browsing the Internet.

An Example of a CSRF Attack

For example, let's say the user has logged in to an online banking web application. The user's browser will now have a session cookie that authenticates it in that web application.

The user decides to browse their favorite forum while being logged into that web application. There, they stumble upon an interesting post with a link, and they click it. The link looked like this, but he didn't notice it at the time:

<a href="http://vulnerable-bank.com/transfer_funds?acct=JOSE&amount=3000">Check it out!</a>

Without them knowing, clicking the link has triggered a request action that sends the user's funds to the attacker's bank account.

The request might look like this:

POST /transfer_funds HTTP/1.1
Host: vulnerable-bank.com
Content-Type: application/x-www-form-urlencoded
Cookie: SessionID=d3yght4s6

acct=JOSE
amount=3000

How to prevent CSRF attacks?

Prevention by End Users

Although CSRF is fundamentally a problem with the web application, there are two main actions that end users can take to protect themselves:

1. Before clicking on a link, always double-check that it leads you to a trustworthy website and that is not triggering any action you might not want to take.

2. Remember to log off the website before visiting another, or clear the browser's cookies at the end of each session.

Prevention by Web Developers

For the software application itself, there are several ways to harden it to prevent this type of attack:

1. Use secure tokens that the attacker would not know to embed in the link. The best way to achieve this is through a CSRF token. A CSRF token is a secure random token that is used to prevent CSRF attacks. An approach that is normally effective is to transmit the token to the client within a hidden field of an HTML form that is submitted using the POST method. The token will then be included as a request parameter when the form is submitted:

<input type="hidden" name="csrf-token" value="{{ csrf_token }}" />

2. Check the referring URL in requests received from end users and only accept requests originating from their own site.

Conclusion

Web applications are complex ecosystems, which makes it important for cybersecurity professionals to harden them against any type of attack. As an end user, it is always good to use reliable applications with certified security, especially if the application handles valuable data for you or your organization. At TeamPassword, we take security seriously, as we are the custodians of important password data. Join the hundreds of companies that trust us, and rest easy knowing that your data is in the right place.