Understanding CSRF: How Cross-Site Request Forgery Works

CSRF attacks are an old and well-established method of attacking individual users on website domains by forging iframe requests. 

Fortunately, most sites have protections in place to prevent this kind of attack. Even so, it’s a great idea to understand the basic methods of how attackers use CSRF requests, because this knowledge can make you a more informed – and therefore safer! – internet user. 

An attacker can use a Cross-site Request Forgery (CSRF) to force a victim’s browser to make forged requests to a web application that the victim is already authenticated to. In other words, the attacker exploits the fact that the session cookies will automatically carry over to a totally different domain if the CSRF is programmed correctly. 

Understanding a CSRF Attack Scenario

In a CSRF attack, the attacker leverages the victim’s authenticated session on one website to perform unauthorized actions on another website. 

To understand what this looks like, let’s imagine that there are two websites: WebsiteABC and WebsiteXYZ.

WebsiteABC is a legitimate website run by an authentic company. When their users visit WebsiteABC, they allow cookies to record their activity on the site. These cookies automatically authenticate the users on WebsiteABC, which is great for both the domain and the user. 

However, WebsiteXYZ is an illegitimate URL hosted by an attacker who wants to gain access to WebsiteABC’s data and manipulate its users into doing things they never intended to do. 

The cybercriminals at WebsiteXYZ can make it so that when someone visits their website, the forged ask command reproduces a legitimate command on WebsiteABC’s domain. The cookies that authenticated the user on WebsiteABC now authenticate the same action on WebsiteXYZ, and the hackers will have managed to trick the user into giving permission for many different actions.

Types of damage caused by a CSRF attack

These are some of the things that a CSRF attack can prompt a user to do: 

• Submit a change of email/password request: This allows the attacker to take over the account.
• Post unauthorized content or spam: The attacker can post content or send messages as the victim.
• Initiate a funds transfer: The attacker can force money transfers from the victim’s account.
• Make unauthorized purchases: The attacker can force the victim to buy items or services.
• Add items to shopping cart: The attacker can add expensive items to the victim’s shopping cart.
• Change account permissions: The attacker can modify the victim’s account privileges.
• Delete data: The attacker can force deletion of the victim’s data.
• Upload malware or shells: The attacker can upload malicious scripts in the victim’s account.
• Alter website content: The attacker can modify website text/code through the victim’s account.
• Share private content: The attacker can force sharing of sensitive documents.
• Logout user: The attacker can force logout to deny service.

Domain Access Controls & the Same Origin Policy

In order to understand how a CSRF attack works, let’s back up and talk about Domain Access Controls. These controls restrict users’ access to resources on a network based on the domain or security group they belong to. 

Via the <iframe> tag, coders can insert one URL into another one. However, cross-frame communication is ont possible because of the “Same Origin Policy.” This prevents attackers from making requests from any website and gaining access to the data from a different domain. 

In order for data to be read across different iframes, three conditions must be met: 

1. Same domain
2. Same schema
3. Same port

When all of these conditions are met, the browser can read cross-domain data. The CSRF attacker works to match these conditions so that the cross-site forgery can be successful. 

Additionally, CSRF attacks are only successful when the targeted user is actively engaged in a session with the original website. 

How common are CSRF attacks? 

CSRF attacks were first detected in 2000 and given their name in 2001. For years, they were included in the OWASP Top 10 risks, but smart and effective security fixes have reduced their success rates. They are still out there, but they seem to have fallen out of favor with more savvy cyber criminals. 

Here are some newsworthy events related to CSRF attacks and vulnerabilities:

• A CSRF attack against the software firm Atlassian Jira in 2022
• In 2012, banking malware was spread to millions of DSL modems in Brazil via CSRF vulnerabilities 
• Home DSL routers were vulnerable in 2008 to a CSRF attack

CSRF Protections

There are two groups who need to be aware of how to avoid CSRF attacks: internet users and web developers. 

How can internet users protect themselves from a CSRF attack?

Although individual users are unlikely to be able to identify a well-hidden CSRF attack, there are certainly ways to protect yourself online. 

These are 12 steps you can take to protect your personal information from being accessed by a cyber criminal using an exploitative CSRF link. 

1. Log out of websites after you use them. This reduces the number of sites an attacker can exploit. 
2. Be cautious of embedded content. Don’t click on random or suspicious links that could trigger a forged request. 
3. Disable autosaving of passwords. Always enter your passwords manually. 
4. Log out of every website after you use it. CSRF attacks only work if you are actively engaged in a current session on a vulnerable site. 
5. Monitor your accounts regularly. Frequently check your bank balances, social media accounts, etc. for unauthorized changes. 
6. Use 2-factor authentication (2FA). This provides an extra layer of protection beyond cookies and passwords. 
7. Keep your software up to date. Be sure to patch and update programs regularly to fix vulnerabilities.
8. Use antivirus and firewall software to filter out known malicious sites and scripts. 
9. Avoid accessing public WiFi networks for sensitive tasks. 
10. Check to see if the site you are visiting is HTTPS or HTTP, as HTTP sites are more prone to manipulation of content and requests. 
11. Clear your cookies and cache regularly to remove any saved cookies. 
12. Use private or incognito browsing to prevent yourself from logging into sites.

How can a web developer prevent Cross-site Request Forgery attacks on their domains? 

Web developers are responsible for providing the safest possible browsing experience for the users of their site. Effectively blocking CSRF attacks is an incredibly important aspect of providing that safe experience. 

Here are 11 tips for protecting your users: 

1. Require CSRF tokens. These randomly generated tokens must be submitted with any state-changing request, thus verifying that the request came from your site. 
2. Validate the Referer header. Check that requests originate from pages on your site, and disallow requests with a mission or external Referrer. 
3. Use proper CORS settings. Disable CORS for APIs that don’t need external access, and only allow CORS if necessary. 
4. Validate the origin of all AJAX requests. Does the origins header match your domain? 
5. Require re-authentication for sensitive actions, such as money transfers and account closures. 
6. Implement rate limiting to throttle frequent requests, which will allow you to detect slow brute force attacks. 
7. Disable the side effects on GET requests, and don’t allow GET requests to modify the state. Only POST/PUT/DELETE should change any user data. 
8. Set secure browser flags on all responses, thus disabling embedded scripts from submitting cross-original requests. 
9. Log out inactive sessions via a timeout script that invalidates any session after a set period of no use. 
10. Follow least privilege principles and only allow necessary privileges. 
11. Perform penetration testing to test your application security and fix vulnerabilities. 

The importance of avoiding CSRF attacks

CSRF attacks are a dangerous exploitation strategy that attackers use to trick authenticated users into unknowingly taking malicious actions on the websites they visit. 

However, with proper precautions by users and comprehensive defenses implemented by developers, the threat of CSRF can be greatly reduced. Individuals should be cautious about clicking suspicious links and enabling high rates of auto-login. Developers should leverage tools like randomized tokens, CORS, and request validation to verify the legitimacy of requests within the site’s iframes. 

Staying vigilant and keeping sites secure will continue to be the best way to mitigate risks and protect users from the bad actions of Cross-Site Request Forgery attacks. 

Frequently Asked Questions

How do you solve CSRF problems?

To solve CSRF problems, implement CSRF tokens that verify request authenticity, validate the origin and referer headers, and disable state-changing actions on GET requests. Using strong security protocols like CORS and session timeouts also helps prevent CSRF attacks.

What causes a CSRF attack?

A CSRF attack happens when an attacker tricks a user into unknowingly performing actions on a website where they’re authenticated, leveraging the user’s session cookies to gain access. This can happen when users click on malicious links or visit compromised sites while logged into other accounts.

What is CSRF and how it works?

CSRF (Cross-Site Request Forgery) is a cyberattack where an attacker forces an authenticated user’s browser to submit forged requests to another website. The attacker exploits session cookies, making it seem like the request came from the authenticated user, allowing unauthorized actions.

What is the common method to protect against CSRF?

The most common method to protect against CSRF is using CSRF tokens, which are unique, randomly generated values that verify the legitimacy of a request. These tokens ensure that requests originate from the intended user, preventing unauthorized commands.

What is the strongest defense against CSRF attacks?

The strongest defense against CSRF attacks is a combination of CSRF tokens for state-changing requests and proper CORS settings. Validating request origins, limiting privileges, and ensuring secure session management further strengthens protection.

When should I disable CSRF?

Disable CSRF protection only in cases where cross-site functionality is essential, and there’s secure validation of all requests, such as for trusted internal systems. However, disabling CSRF is generally discouraged for public-facing applications due to the high risk of exploitation.