What is a CSRF attack and how to prevent it?
What is a CSRF attack and how to prevent it?
To stop the loss of cash and credentials in CSRF attacks, both developers and users have an important role they have to play. This time we will discuss what is a CSRF attack and how to prevent it?
Cross-Site Request Forgery (CSRF) is one of the oldest ways to exploit website vulnerabilities. It targets server-side webs that usually require authentication such as logging. During a CSRF attack, attackers aim to force their victims to make malicious, unauthorized web requests on their behalf.
Weak or bad website security practices and carelessness in the user's path are some of the common causes of successful CSRF attacks. Let's see what a CSRF attack is and how to prevent it as a developer or as a user.
What is CSRF?
Cross-Site Request Forgery (CSRF) is also known as “Session Riding” or “One-Click Attack”. This attack is a type of malicious Exploit attack against web application users. This attack has been listed as the 7th most exploitable among top 10 Web Attacks.
CSRF is an attack that allows an attacker to make arbitrary HTTP POST/GET requests on behalf of a victim who is currently authenticated to a website. There are many types of web attacks that are carried out using this CSRF technique, ranging from the not so dangerous to the dangerous.
How Does a CSRF Attack Affect Victims?
CSRF is an attack used to implement unauthorized requests during web actions that require user login or authentication. CSRF attacks can take advantage of session IDs, cookies, and other server-based vulnerabilities to steal user credentials.
For example, enabling anti-CSRF procedures prevents cross-domain malicious interactions. Once that barrier is broken, an attacker can quickly exploit a user's session ID via a cookie set by the user's browser and embed script tags into vulnerable websites.
By manipulating IDs, attackers can also redirect visitors to other web pages or exploit social engineering methods such as email to send links, inducing victims to download malicious software.
Once the victim performs such an action, the perpetrator sends an HTTP request to the user's service page and authorizes the request action to support the attacker. It can be very damaging for unsuspecting users.
A successful CSRF attack can result in a user losing their access credentials to the attacker, especially during server-based actions such as password or username change requests. In a worse scenario, the attacker takes over the entire session and acts on the user's behalf.
CSRF has been used to hijack fund transactions over the web as well as change usernames and passwords, causing users to lose access to affected services.
How Attackers Hijack User Sessions With CSRF
The main target of CSRF attacks are web actions that involve user authentication. To be successful, it requires an involuntary act on the part of the victim.
During a CSRF attack, GET, DELETE, and PUT actions, as well as vulnerable POST requests, are prime targets for attackers. Let's take a look at the meaning of those terms:
* GET: Query to collect results from database; for example, Google search.
* POST: Typically for submitting a request via a web form. POST requests are common during user registration or login, otherwise known as authentication.
* DELETE: To delete resources from database. You do this every time you delete your account from a certain web service.
* PUT: A PUT request changes or updates an existing resource. An example is changing your Facebook name.
In practice, attackers use session hijacking to support CSRF attacks. When using this combination, the attacker can use hijacking to change the victim's IP address.
The IP address change then introduces the victim to a new website where the attacker has entered a deceptive link that sends the exact form or modified server request they made via CSRF.
The unsuspecting user then thinks the redirect is coming from the service provider and clicks on the link on the attacker's web page. Once they do this, the perpetrator submits the form on page load without their knowledge.
Example of CSRF GET Request Attack
Imagine trying to make an online payment via an unsecured ecommerce platform. Platform owners use GET requests to process your transactions. That GET query might look something like this:
A hijacker can steal your transactions easily by changing the parameters of the GET request. To do this, all they need to do is swap your name for theirs, and even worse, change the amount you're willing to pay. They then changed the original query to something like this:
After you click the link to the modified GET request, you end up making an unintended transfer to the attacker's account.
Transacting through GET requests is bad practice, and makes activities vulnerable to attack.
Example of a POST Request CSRF Attack
Many developers believe that it is safer to use POST requests to perform web transactions. While that is true, unfortunately, POST requests are also vulnerable to CSRF attacks.
To successfully hijack POST requests, all an attacker needs is your current session ID, some form of invisible duplication, and sometimes, a bit of psychological manipulation.
For example, a POST request form might look like this:
<form action="Company ABC's account" method="POST"><input type="text" name="name" placeholder="name"><br><input type="number" name="amount">< br><input type="submit" name="submit"></form>
However, an attacker can swap your credentials by creating a new page and changing the form above to this:
<body onload="document.getElementById('payment-form').submit();"> <form action="Attacker's account" id="payment-form" method="POST"><input type="text" hidden name="name" placeholder="name"><br><input type="number" hidden value=30000 name="number"><br><input type="submit" hidden name="submit">< /form> </body>
In the manipulated form, the attacker sets the value of the amount field to “30000”, switches the recipient's account number to theirs, submits the form on page load, and also hides the form field from the user.
After they hijack the current session, your transaction page initiates a redirect to the attacker's page, which prompts you to click on a link they know you are likely to visit.
Alternatively, an attacker could also draft an HTML embedded email asking you to click on a link to initiate a form submission that loads the same page.
Another action that is vulnerable to CSRF attacks is a username or password change, an example of a PUT request. The attacker replicates your request form and replaces your email address with theirs.
Then they steal your session and redirect you to a page or send you an email asking you to click on an interesting link.
It then sends out a manipulated form that sends a password reset link to the perpetrator's email address, not yours. In that way, the perpetrator changes your password and kicks you out of your own account.
How To Prevent CSRF Attacks As A Developer
One of the best methods to prevent CSRF is to use a token that changes frequently instead of relying on session cookies to enforce state changes on the server.
Many modern backend frameworks offer CSRF security. So if you want to avoid the technicalities of upgrading CSRF yourself, you can work around this easily using server-side frameworks that come with built-in anti-CSRF tokens.
When you use anti-CSRF tokens, server-based requests generate random strings instead of session cookies which are more vulnerable. That way, you can protect your session from being guessed by pirates.
Implementing a two-factor authentication (2FA) system to execute transactions in your web application also reduces the possibility of CSRF. CSRF can also be initiated through cross-site scripting (XSS) creation, which involves injection of scripts into user fields such as comment forms. To prevent this, it's a good practice to enable HTML auto-escaping on all user form fields throughout your website. It prevents form fields from interpreting HTML elements.
How To Prevent CSRF Attacks As A User
As a user of web services that involve authentication, you have a role to play in preventing attackers from stealing your credentials and sessions via CSRF as well. Make sure you use trusted web services during activities that involve transferring funds. In addition, use secure web browsers that protect users from session exposure, as well as secure search engines that protect against browsing data leaks.
As a user, you can also rely on third-party authenticators such as Google Authenticator or alternatives to verify your identity via the web. While you may not be able to stop an attacker from hijacking your session, you can still help prevent this by ensuring that your browser does not store information such as passwords and other login details.
So what is CSRF? CSRF is a type of attack that is carried out by executing commands on the system without having the authority to do so. CSRF is carried out by exploiting security holes in the system.
Developers need to regularly test web applications for security breaches during development and deployment. However, it is common to introduce other vulnerabilities while trying to prevent other vulnerabilities. So be careful to make sure that you are not violating any other security parameters when trying to block CSRF.
So many articles What is CSRF Attack and How to Prevent It. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you…
Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.
Post a Comment