Monday, February 10, 2025
HomeOWASP - Top 10Cross-Site Request Forgery (CSRF) - An OWASP Vulnerability - Detailed Explanation

Cross-Site Request Forgery (CSRF) – An OWASP Vulnerability – Detailed Explanation

Published on

SIEM as a Service

Follow Us on Google News

Cross Site Request Forgery is one of the most common form of attack by online spammers and scammers. Exploicity of this attack is bit complex, it’s prevalence is common.

But CSRF attacks can be predicted easily and their impact is moderate.

CSRF scenario

Cross Site Request Forgery

In this scenario, we are having an Attacker, User, Attackers, and Target server. An attacker can share the malicious link to a user’s through Multiple ways.

Link sharing can be done through Social Media, Email and in many different ways. Once the user click’s on the link, then the link goes to the attacker’s web server.

Now the request from the attackers’ server also carries the Embedded Malicious request, which causes the user browser to issue a request to the target website.

Entire process of CSRF is to get the authenticated user, who is already authenticated to the target website. So that’s one of the condition normally need to meet for successful CSRF.

Cross Site Request Forgery

 

Cross-Site Request Forgery

In this scenario we are having a user transferring money on a banking website, now the user login to the bank and to makes Authenticate money transfer request.

The request should be like this HTTP POST http://bank.com/transfer, once the request processed then in-order to persist the user state server will send an Authcookie: 86GHTR.

Being the post request there is a request body which consists of Target Account number: 7895457898054 and where the money Amount: 100000  is to transfer.

Now the attacker can forge this request and he is the rub with CSRF if the attacker can trick the user’s browser in making this request when I may be able to successfully execute a CSRF request.

So now does an attacker execute that: Attacker already aware of the HTTP post path, they look at the bank and tell what’s the URL that you need to post to transfer money.

They already aware of the fields, so they only require the URL and request body, because if they get the user to make a request to that part with the request body.

Then the Auth Cookie will be sent automatically with the request which browsers normally do, send any cookie with the request valid for a target domain.

Cross-Site Request Forgery Defenses

  • CSRF is exploited if we use predictable patterns.
  • Employ Anti-forgery tokens, add randomness to the request.
  • The valid requests should not originate externally.
  • The referrer should be in each header’s requests.
  • Native browser defenses.
  • Fraud detection patterns.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Linux Kernel 6.14-rc2 Released – What’s Newly Added !

Linus Torvalds, lead developer of the Linux kernel, announced the second release candidate (rc2)...

Critical Zimbra Flaws Allow Attackers to Gain Unauthorized Access to Sensitive Data

Serious vulnerabilities in Zimbra Collaboration Suite (ZCS), a popular enterprise email and collaboration platform,...

Tor Browser 14.0.6 Released, What’s New!

The Tor Project has officially unveiled Tor Browser 14.0.6, now accessible for download from the...

Hackers Exploit AnyDesk Vulnerability to Gain Admin Access – PoC Released

A newly discovered vulnerability in AnyDesk, the popular remote desktop software, has sparked serious...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

OWASP Smart Contract Top 10 2025 Released – What’s new!

The Open Web Application Security Project (OWASP) has released its updated Smart Contract Top 10 for...

What is XSS (Cross-Site Scripting)? – A Detailed Understanding Of the Type of XSS

XSS is a very commonly exploited vulnerability type that is very widely spread and...

OWASP A10-Unvalidated Redirects and Forwards

Web applications often redirect and forward users to other pages and websites, and use...