CSRF Attacks – An Introduction

Cross-site request forgery abbreviated as CSRF is also known as XSRF. (X represents Cross) whereby unauthorized commands are transmitted from a user that the website trusts.

Why the name XSRF?
Well lets no argue about the name. According to me the name has it origin inXSS(Cross Site Scripting) which cannot be abbreviated as CSS(Cascading Style Sheets).

Now why does the website trust it ?
Well it does so, as hackers exploit the trust that a site has in its authorized users or in other words his SESSION.

The following Examples will make it clear how CSRF works.
Suppose a bank site if CSRF vulnerable.
Now lets assume that User A wants to transfer X amount of money to User B and the form he has to fill out contains the following fields

  1. Amount
  2. User B’s account number (lets assume it is 1234)

Suppose the form sends a POST/GET request to a script(lets call it http://studbank.com/transfer.php) which checks for USER A’s session and then transfers the amount according to the GET/POST variables.
Now lets assume the HACKER(maybe B) gives the victim(A) the following link –

http://studbank.com/transfer.php?amount=100&user=<Hacker’s account number>

Woo! As you see the script will check for USER A’s session and transfer 100 bucks to the HACKER’s account.
Thus the HACKER exploits the USER A’s SESSION(the proof of the user being logged in) to transfer money to his account.
If the User is too conscious to accept any links from the Hacker he may also trick the User into a page which may have the following HTML anywhere –

<img src=”http://studbank.com/transfer.php?amount=100&user=<Hacker’s account number>”/>

Bingo! – Money transferred without the User knowing so.
The above has been done for GET requests. POST requests may also be implemented via automatically submitting forms.
CSRF can be used in every site that involves user interaction(in technical terms sending an HTTP request) where the USER’s session can be used to send unwanted(I wont call it Unauthorised LOL) requests to execute actions the user wouldn’t like.

Another place where CSRF can be implemented is adding an admin on a website wherein the Hacker tricks the Administrator into sending an HTTP request to the script that adds an admin thereby using the Administrator’s Session to do so.

The following sums it up –

Prevention –

  • Anti-Csrf Tokens
  • Captchas
  • Passwords to authenticate every post request

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s