Photo by Markus Spiske on Unsplash
What is CSRF
Cross-site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in.
A successful CSRF attack can be devastating for both the business and the user. It can result in damaged client relationships, unauthorized fund transfers changed passwords and data theft—including stolen session cookies.
CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server. As the unsuspecting user is authenticated by their application at the time of the attack, it’s impossible to distinguish a legitimate request from a forged one.
CSRF Attack Example
Before executing an assault, a perpetrator typically studies an application in order to make a forged request appear as legitimate as possible.
For example, a typical GET request for a $100 bank transfer might look like:
A bad actor can embed the request into an innocent-looking hyperlink:
Next, he can distribute the hyperlink via email to a large number of bank customers. Those who click on the link while logged into their bank account will unintentionally initiate the $100 transfer.
Note that if the bank’s website is only using POST requests, it’s impossible to frame malicious requests using a <a> href tag. However, the attack could be delivered in a <form> tag with the automatic execution of the embedded JavaScript.
