Cross-site request forgery (CSRF) is a type of web application security vulnerability. It occurs when an attacker tricks a user into performing actions on a web application to which the user is authenticated, without the user’s knowledge or consent. This vulnerability exploits the trust that a web application has in the authenticated user.

How CSRF works

1. Victim authentication: The victim logs into a web application (such as a bank’s website) and their session is authenticated using cookies or tokens.

2. Attacker preparation: The attacker creates a malicious request to perform an action on the web application on behalf of the authenticated user (e.g. transfer money from the user’s bank account).

3. Victim interaction: The attacker tricks the victim into visiting a web page they control or an email with an embedded image/link. This web page contains the malicious request.

4. Request execution: When the victim’s browser loads the malicious web page, it sends the request to the target web application. Since the user is already authenticated, the web application processes the request as if it came from the authenticated user.

Example scenario

1. Logging in: Uğur logs into her bank account at bank.com and her session is authenticated by a session cookie.

2. Malicious link: An attacker sends Uğur an email with a link to a malicious web page, or Uğur visits a malicious web page. The web page contains the following HTML code:

HTML <img src=”http://bank.com/transfer?amount=1000&to=attacker_account” style=”display:none;”>

3.Request sent: When Uğur’s browser loads this web page, it automatically sends a GET request to bank.com to transfer money, using Uğur’s authenticated session.

4.Execution: The bank’s server receives the request and processes it, thinking it’s a legitimate action by Uğur. The money is transferred to the attacker’s account.

Preventing CSRF

1. CSRF tokens: Include a unique token in any request that changes state on the server. This token is usually embedded in forms and validated by the server on submission.

· Implementation: A token is generated and stored in the user’s session and also included as a hidden field in forms. When a form is submitted, the server checks that the token in the request matches the token stored in the session.

HTML <input type=”hidden” name=”csrf_token” value=”random_generated_token”>

2.SameSite cookies: Use the SameSite attribute in cookies to prevent the browser from sending cookies with cross-site requests.

HTTP “ Set-Cookie: sessionid=abc123; SameSite=Strict “

3.Validate Referer and Origin headers: Validate the Referer or Origin headers to ensure that requests are coming from trusted sources.

4.Custom HTTP headers: Use custom headers with JavaScript that are not allowed to be sent cross-origin by default (e.g. using XMLHttpRequest or Fetch API).

Example of CSRF Token Implementation
Server-Side (Generating Token):

PYTHON from flask import Flask, session, request, render_template_string

import os

app = Flask(__name__)

app.secret_key = os.urandom(24)

@app.route(‘/form’)

def form():

csrf_token = os.urandom(24).hex()

session[‘csrf_token’] = csrf_token

return render_template_string(‘’’

<form method=”post” action=”/submit”>

<input type=”hidden” name=”csrf_token” value=”{{ csrf_token }}”>

<input type=”text” name=”data”>

<input type=”submit” value=”Submit”>

</form>

‘’’, csrf_token=csrf_token)

@app.route(‘/submit’, methods=[‘POST’])

def submit():

if session[‘csrf_token’] != request.form[‘csrf_token’]:

return “CSRF token mismatch!”, 400

# Process the form data

return “Form submitted successfully!”

Conclusion

CSRF is a serious security vulnerability that can lead to unauthorised actions being performed in the name of an authenticated user. Mitigation strategies such as CSRF tokens, SameSite cookies and header validation are essential to protect web applications from such attacks. Understanding and properly implementing these defences can significantly reduce the risk of CSRF vulnerabilities.