Cross-Site Request Forgery
Learn CSRF attacks and defenses through focused security exercises.
Introduction to CSRF
theoryLearn the fundamentals of Cross-Site Request Forgery attacks and their impact.
What is Cross-Site Request Forgery (CSRF)?
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit unintended requests to a web application. The attacker tricks the victim into executing unwanted actions on a web application where they are currently authenticated.
How CSRF Works
- User logs into a legitimate website, such as online banking.
- User visits a malicious website while still logged in.
- Malicious site sends a request to the legitimate site using the user’s session.
- The legitimate site processes the request as if the user intended it.
Common CSRF Attack Vectors
- HTML Forms: Auto-submitting forms with hidden fields
- Image Tags: Using
img srcto trigger GET requests - JavaScript: AJAX requests from malicious sites
- Links: Tricking users to click malicious links
Example CSRF Attack
<!-- Malicious HTML page -->
<form action="https://bank.com/transfer" method="POST" id="csrf-form">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="to_account" value="attacker_account">
</form>
<script>document.getElementById('csrf-form').submit();</script>
Impact of CSRF
- Unauthorized fund transfers
- Account settings changes
- Password modifications
- Data deletion or modification
Knowledge Check
What is required for a CSRF attack to be successful?
CSRF Protection Mechanisms
theoryLearn about different methods to prevent CSRF attacks.
CSRF Protection Mechanisms
There are several effective methods to prevent CSRF attacks. The key is to ensure that requests genuinely originate from the authenticated user.
1. CSRF Tokens
The most common and effective protection method:
- Generate a unique, unpredictable token for each session
- Include the token in all state-changing requests
- Verify the token on the server before processing requests
<form method="POST">
<input type="hidden" name="csrf_token" value="abc123xyz789">
<input type="text" name="email">
<button type="submit">Update Email</button>
</form>
2. SameSite Cookie Attribute
Prevents cookies from being sent with cross-site requests:
Set-Cookie: sessionid=abc123; SameSite=Strict
Set-Cookie: sessionid=abc123; SameSite=Lax
3. Origin and Referer Headers
Verify that requests come from the expected origin:
- Check the Origin header matches your domain
- Validate the Referer header, though it is less reliable
4. Double Submit Cookie
Store CSRF token in both a cookie and request parameter:
- Set CSRF token as a cookie
- Include the same token in a form or header
- Verify both values match
Knowledge Check
Which CSRF protection method is considered the most secure?
Basic CSRF Attack - Email Change
simulationPractice exploiting a CSRF vulnerability to change user email address.
Simulation Objective
Practice exploiting a CSRF vulnerability to change user email address.
Target
/profile/update
Scenario
Email change
CSRF with Auto-Submit
simulationCreate a CSRF attack that automatically submits when the page loads.
Simulation Objective
Create a CSRF attack that automatically submits when the page loads.
Target
/transfer/money
Scenario
Fund transfer
Image-based CSRF Attack
simulationExploit CSRF using image tags for GET-based vulnerable endpoints.
Simulation Objective
Exploit CSRF using image tags for GET-based vulnerable endpoints.
Target
/account/delete
Scenario
Account deletion
CSRF with AJAX
simulationPerform CSRF attacks using JavaScript and AJAX requests.
Simulation Objective
Perform CSRF attacks using JavaScript and AJAX requests.
Target
/account/password
Scenario
Password change
CSRF Token Bypass Techniques
theoryLearn methods to bypass weak CSRF token implementations.
CSRF Token Bypass Techniques
Even when CSRF tokens are implemented, they may have weaknesses that can be exploited by attackers.
Common Bypass Techniques
1. Missing Token Validation
- Application accepts requests without CSRF tokens
- Simply omit the token from the request
- Server does not enforce token presence
2. Predictable Tokens
- Tokens generated using weak algorithms
- Sequential or timestamp-based tokens
- Reused tokens across sessions
3. Token Leakage
- Tokens exposed in URLs through GET parameters
- Tokens in Referer headers
- Tokens accessible via XSS
4. Subdomain Attacks
- Weak domain validation
- Accepting requests from any subdomain
- Cookie scope issues
Testing for CSRF Vulnerabilities
- Remove CSRF token and replay request.
- Change token value to invalid or empty.
- Use token from a different session.
- Check if token is validated on the server.
- Test with different HTTP methods.
Example Bypass
# Original request with token
POST /transfer HTTP/1.1
csrf_token=abc123&amount=100&to=victim
# Bypass attempt - remove token
POST /transfer HTTP/1.1
amount=100&to=attacker
Knowledge Check
Which scenario makes CSRF tokens ineffective?