{csrf}
"CSRF/XSRF (Cross-Site Request Forgery) is a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users."
--- Samvel Gevorgyan
OWAS describes CSRF as ...
CSRF is an attack that tricks the victim into loading a page that contains a milicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf like change the victim's email address.
So basically CSRF attacks target functions that cause a state change on the server but can also be used to access sensitive data.
CSRF in a nutshell
- not on the OWASP top 10 list but still an issue
- relevant for web pages where where users can log in and session id is stored in a cookie
- results from the behavior of browsers to send cookies with all requests per default
- the attack is limited to the areas the logged in user has access to
DEMO!
CSRF strategies
- CSRF tokens:
- generated and verified in the backend
- per request or per session
- store in cookie or send with every request
- not needed for GET
- Re-Authentication
- Captchas
- set SameSite attribute on cookies
- check referrer header (can be spoofed)
CSRF implementations
- many frameworks like Django have built in support
- AngularPHP
- Symfony
- PHP library recommended by OWASP