Cross-site Request Forgery (CSRF) or XSRF is a type of attack that occurs when a malicious email, blog, website, or a program causes the user’s web browser to perform an unwanted action on a trusted site where the user is currently authenticated. It can result in damaged relationship with client, unauthorized fund transfers and data theft. It is typically conducted using email or link that tricks the victim to send a forged request to the server.
Example: Before doing an attack, the attacker studies about an application to make a forged request and makes it appear as a legitimate one. A GET request for transferring $100 might look like
GET http://demo.com/transfer.do?acct=PersonB&amount;=$100 HTTP/1.1
The hacker can modify this script to transfer the amount in his account by rewriting as
GET http://demo.com/transfer.do?acct=AttackerB&amount;=$100 HTTP/1.1
Now, this hyperlink can be distributed via email through a large number of customers. Those who click the link while logging into their account will transfer $100 unknowingly.
Prevention of CSRF attack:
There are a number of effective ways to prevent the occurrence of CSRF attack. The user should protect their login credentials from unauthorized users to access the applications. Some of the preventive measures are as follows
- Securing usernames and passwords
- Not allowing browsers to remember passwords
- Avoid simultaneous browsing when logging into an application
- Log off the web applications when not in use
While accessing web applications, unique random tokens should be generated for every session requestor ID. These tokens should be subsequently checked by the server and verified. The server should block the session requests with duplicate tokens or missing values. So, a request not matching the session ID will be blocked.
Another method for preventing this attack is to use random tokens for both cookies and a request parameter. So that the server matches and verifies the token before accessing an application. The tokens can be used in HTTP log files if the protected site links to an URL, and network appliances logging in the first line of HTTP request and referrer headers.