Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) is a web security vulnerability that allows attackers to induce users to perform actions they do not intend to perform. It exploits the trust that a web application has in the user's browser. CSRF attacks specifically target state-changing requests (like changing passwords or making purchases), not data theft, since the attacker cannot see the response to the forged request.

How an Attacker Can Exploit This Vulnerability

Identify a Target: The attacker identifies a vulnerable web application that performs actions based on authenticated requests.
Create a Malicious Request: The attacker crafts a request that will perform an action on the target web application.
Induce Victim to Execute the Request: The attacker tricks the victim into executing the malicious request by embedding it in a webpage, email, or another delivery method. This can be done via hidden forms, image tags, or other means.
Action Performed: When the victim’s browser sends the request, it includes the session cookies or authentication tokens, causing the action to be performed with the victim's privileges.

Potential Damage of a CSRF Attack

Account Takeover: Changing the victim's email address or password.
Unauthorized Transactions: Performing financial transactions without the victim's consent.
Data Manipulation: Deleting or altering data, changing settings, etc.
Service Misuse: Subscribing to or unsubscribing from services, modifying access controls, etc.

Brief Use Cases

Changing User Account Details: An attacker can change the victim’s email address or password, leading to an account takeover.
Performing Financial Transactions: Unauthorized fund transfers or purchases.
Changing User Settings: Altering user preferences or security settings.
Exploiting Administrative Functions: Forcing actions that require administrative privileges, such as deleting users or altering access levels.

Protecting a Web Application from CSRF

Anti-CSRF Tokens

Implementation: Generate a unique token for each session and include it in all forms and state-changing requests. Validate the token on the server side.
Requirements: Modify forms to include tokens, implement server-side validation.

SameSite Cookies

Implementation: Use the SameSite attribute in cookies to restrict them to same-site requests.
Requirements: Update server configurations to set SameSite attribute on cookies.

Example use

Good Example - 1

Using the SameSite attribute correctly to enhance security by restricting the cookie to same-site requests:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict

Explanation:

sessionId=abc123: The cookie name and value.
Secure: Ensures the cookie is only sent over HTTPS.
HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.
SameSite=Strict: The cookie will only be sent for requests originating from the same site, providing strong protection against CSRF attacks.

Bad Example - 1

Misusing the SameSite attribute or omitting it entirely, potentially leading to security vulnerabilities:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly

Explanation:

sessionId=abc123: The cookie name and value.
Secure: Ensures the cookie is only sent over HTTPS.
HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.
Missing SameSite attribute: Without the SameSite attribute, the cookie is sent with both same-site and cross-site requests by default, which could expose the application to CSRF attacks.

Bad Example - 2

Using an inappropriate value for the SameSite attribute:

Set-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=None

Explanation:

sessionId=abc123: The cookie name and value.
Secure: Ensures the cookie is only sent over HTTPS.
HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.
SameSite=None: While this allows the cookie to be sent with cross-site requests, it can only be secure if combined with Secure. If Secure is not present, it leaves the application vulnerable to CSRF attacks.

Best Practices for Implementing SameSite Cookies

Strict:
- Use SameSite=Strict for cookies containing sensitive information or those used in critical operations (e.g., authentication cookies).
- Example:
  Set-Cookie: authToken=xyz789; Secure; HttpOnly; SameSite=Strict
Lax:
- Use SameSite=Lax for cookies that should generally be sent in same-site contexts but still allow some cross-site requests (e.g., navigations from external links).
- Example:
  Set-Cookie: trackingId=def456; Secure; HttpOnly; SameSite=Lax
None:
- Use SameSite=None only when cross-site requests are necessary and ensure the Secure attribute is present to enforce HTTPS.
- Example:
  Set-Cookie: thirdParty=ghi123; Secure; HttpOnly; SameSite=None

Custom Headers
- Implementation: Require custom headers (e.g., X-CSRF-Token) for state-changing requests.
- Requirements: Modify AJAX requests to include custom headers, and implement server-side validation.
Double Submit Cookies
- Implementation: Send a CSRF token as a cookie and as a request parameter. Validate that both match.
- Requirements: Implement logic to set cookies and validate tokens on the server.
Content Security Policy (CSP)
- Implementation: Use CSP to mitigate the risk by defining where requests can be sent from.
- Requirements: Configure CSP headers to limit allowable sources.

Detailed Implementation Steps

Anti-CSRF Tokens
- Backend: Generate a token and store it in the session or a secure store.
- Frontend: Include the token in all form submissions and AJAX requests.
- Validation: Check the token on the server against the stored token before processing the request.

SameSite Cookies

Backend: Set the SameSite attribute for cookies to Strict or Lax.

Example (Node.js/Express):

app.use(session({
  secret: 'secret',
  resave: false,
  saveUninitialized: true,
  cookie: { sameSite: 'Strict' }
}));

Custom Headers
- Frontend: Add a custom header to AJAX requests.
- Backend: Validate the presence of the custom header.
- Example (AJAX with jQuery):
  $.ajaxSetup({ headers: { 'X-CSRF-Token': 'your-csrf-token' } });
Double Submit Cookies
- Backend: Set a CSRF token as a cookie.
- Frontend: Include the same token in a hidden form field or request parameter.
- Validation: Ensure the token in the request matches the token in the cookie.
Content Security Policy (CSP)
- Backend: Configure CSP headers to allow only trusted sources for requests.
- Example (Express):
  app.use((req, res, next) => { res.setHeader('Content-Security-Policy', "default-src 'self'"); next(); });

By implementing these protections, you can significantly reduce the risk of CSRF attacks on your web applications.

PreviousStored XSS NextCSRF Best Practices

Last updated 9 months ago

Was this helpful?

Cross Site Request Forgery

How an Attacker Can Exploit This Vulnerability

Identify a Target: The attacker identifies a vulnerable web application that performs actions based on authenticated requests.
Create a Malicious Request: The attacker crafts a request that will perform an action on the target web application.
Induce Victim to Execute the Request: The attacker tricks the victim into executing the malicious request by embedding it in a webpage, email, or another delivery method. This can be done via hidden forms, image tags, or other means.
Action Performed: When the victim’s browser sends the request, it includes the session cookies or authentication tokens, causing the action to be performed with the victim's privileges.

Potential Damage of a CSRF Attack

Account Takeover: Changing the victim's email address or password.
Unauthorized Transactions: Performing financial transactions without the victim's consent.
Data Manipulation: Deleting or altering data, changing settings, etc.
Service Misuse: Subscribing to or unsubscribing from services, modifying access controls, etc.

Brief Use Cases

Changing User Account Details: An attacker can change the victim’s email address or password, leading to an account takeover.
Performing Financial Transactions: Unauthorized fund transfers or purchases.
Changing User Settings: Altering user preferences or security settings.
Exploiting Administrative Functions: Forcing actions that require administrative privileges, such as deleting users or altering access levels.

Protecting a Web Application from CSRF

Anti-CSRF Tokens

Implementation: Generate a unique token for each session and include it in all forms and state-changing requests. Validate the token on the server side.
Requirements: Modify forms to include tokens, implement server-side validation.

SameSite Cookies

Implementation: Use the SameSite attribute in cookies to restrict them to same-site requests.
Requirements: Update server configurations to set SameSite attribute on cookies.

Example use

Good Example - 1

Using the SameSite attribute correctly to enhance security by restricting the cookie to same-site requests:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict

Explanation:

sessionId=abc123: The cookie name and value.
Secure: Ensures the cookie is only sent over HTTPS.
HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.
SameSite=Strict: The cookie will only be sent for requests originating from the same site, providing strong protection against CSRF attacks.

Bad Example - 1

Misusing the SameSite attribute or omitting it entirely, potentially leading to security vulnerabilities:

httpCopy codeSet-Cookie: sessionId=abc123; Secure; HttpOnly

Explanation:

sessionId=abc123: The cookie name and value.
Secure: Ensures the cookie is only sent over HTTPS.
HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.
Missing SameSite attribute: Without the SameSite attribute, the cookie is sent with both same-site and cross-site requests by default, which could expose the application to CSRF attacks.

Bad Example - 2

Using an inappropriate value for the SameSite attribute:

Set-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=None

Explanation:

sessionId=abc123: The cookie name and value.
Secure: Ensures the cookie is only sent over HTTPS.
HttpOnly: Prevents the cookie from being accessed via JavaScript, mitigating XSS attacks.
SameSite=None: While this allows the cookie to be sent with cross-site requests, it can only be secure if combined with Secure. If Secure is not present, it leaves the application vulnerable to CSRF attacks.

Best Practices for Implementing SameSite Cookies

Strict:
- Use SameSite=Strict for cookies containing sensitive information or those used in critical operations (e.g., authentication cookies).
- Example:
  Set-Cookie: authToken=xyz789; Secure; HttpOnly; SameSite=Strict
Lax:
- Use SameSite=Lax for cookies that should generally be sent in same-site contexts but still allow some cross-site requests (e.g., navigations from external links).
- Example:
  Set-Cookie: trackingId=def456; Secure; HttpOnly; SameSite=Lax
None:
- Use SameSite=None only when cross-site requests are necessary and ensure the Secure attribute is present to enforce HTTPS.
- Example:
  Set-Cookie: thirdParty=ghi123; Secure; HttpOnly; SameSite=None

Custom Headers
- Implementation: Require custom headers (e.g., X-CSRF-Token) for state-changing requests.
- Requirements: Modify AJAX requests to include custom headers, and implement server-side validation.
Double Submit Cookies
- Implementation: Send a CSRF token as a cookie and as a request parameter. Validate that both match.
- Requirements: Implement logic to set cookies and validate tokens on the server.
Content Security Policy (CSP)
- Implementation: Use CSP to mitigate the risk by defining where requests can be sent from.
- Requirements: Configure CSP headers to limit allowable sources.

Detailed Implementation Steps

Anti-CSRF Tokens
- Backend: Generate a token and store it in the session or a secure store.
- Frontend: Include the token in all form submissions and AJAX requests.
- Validation: Check the token on the server against the stored token before processing the request.

SameSite Cookies

Backend: Set the SameSite attribute for cookies to Strict or Lax.

Example (Node.js/Express):

app.use(session({
  secret: 'secret',
  resave: false,
  saveUninitialized: true,
  cookie: { sameSite: 'Strict' }
}));

Custom Headers
- Frontend: Add a custom header to AJAX requests.
- Backend: Validate the presence of the custom header.
- Example (AJAX with jQuery):
  $.ajaxSetup({ headers: { 'X-CSRF-Token': 'your-csrf-token' } });
Double Submit Cookies
- Backend: Set a CSRF token as a cookie.
- Frontend: Include the same token in a hidden form field or request parameter.
- Validation: Ensure the token in the request matches the token in the cookie.
Content Security Policy (CSP)
- Backend: Configure CSP headers to allow only trusted sources for requests.
- Example (Express):
  app.use((req, res, next) => { res.setHeader('Content-Security-Policy', "default-src 'self'"); next(); });

By implementing these protections, you can significantly reduce the risk of CSRF attacks on your web applications.

PreviousStored XSS NextCSRF Best Practices

Last updated 9 months ago

Was this helpful?