Cross-Site Request Forgery (CSRF) Attacks: Common Vulnerabilities and Prevention Methods

Cross-site request forgery (CSRF), also known as session riding, is a type of cyberattack in which authenticated users of a web application are forced to submit malicious, state-changing requests created by an attacker. CSRF attacks can:

• Alter the target’s records in an application
• Submit a transaction
• Purchase products using the target’s details
• Change passwords
• Change registered email addresses in a web application
• Send messages under the target’s name
• Transfer funds

In some instances, a CSRF attack can give hackers full access to a target’s accounts in the web application. If the targeted individual holds a privileged or controlling position within the web application, the attacker can exploit the vulnerability further to take control of the application and its data—meaning that CSRF defense is a key component of a business’s cybersecurity.

For businesses, CSRF defense represents an area of cybersecurity that deserves attention and investment due to the risk of attackers gaining access to company accounts and funds by submitting malicious requests that alter user accounts. For example, at the beginning of 2021, WordPress discovered that one of its plugins contained an embedded CSRF vulnerability that affected over 50,000 sites (Chamberland, 2021). This vulnerability allowed attackers to inject malicious JavaScript code into websites through the plugin, which attackers then used to force site users to open malicious links or attachments embedded in the affected sites.

How Do Cross-Site Request Forgery Attacks Work?

CSRF attacks often rely on social engineering methods to convince their targets to click on a malicious URL. Once a user clicks on the link, which contains an unauthorized request for a specific web application for which the user has authentication, the user’s browser sends that request to the target application (Synopsys, 2021).

Because the request also includes any relevant credentials, such as user session cookies, the application treats the new request as an authorized request sent by the user. Therefore, a CSRF attack allows cybercriminals to bypass a web application’s authentication process by attacking sites that fail to differentiate between valid and forged requests. Effective CSRF mitigation techniques focus on preventing attackers from bypassing authentication measures with this method.

For a CSRF attack to succeed, three essential conditions must be met (PortSwigger, 2021):

• There is a desirable action that the attacker wishes to perform, such as changing a password or transferring funds.
• Cookie-based session handling is in place to identify the user.
• There are no unpredictable request parameters that the attacker is incapable of determining or guessing, such as needing to know an existing password to create a new one.

If these three conditions are satisfied, an attacker can successfully construct a malicious request in a forged URL or link and convince a user to open the link while in an active session with the target web application. CSRF mitigation normally involves altering the second or third conditions on this list to prevent attackers from using cookie session data to bypass authentication processes or introduce unpredictable request parameters that attackers cannot guess.

Cross-Site Request Forgery Prevention, Mitigation, and Defense

There are three fundamental approaches that you can apply to your application’s CSRF mitigation strategy to prevent CSRF attacks and eliminate vulnerabilities (Demir, 2020):

• Using CSRF tokens in HTML forms for critical operation requests in applications
• Avoiding using the HTTP GET method for critical operations, such as create, update, and delete actions
• Using the “SameSite” attribute of the HTTP “Set-Cookie” response header

Cross-Site Request Forgery Tokens

CSRF tokens, or challenge tokens, are the most common method of CSRF mitigation. These tokens provide applications with a means of distinguishing between a request that was legitimately generated from a user’s interface and one that was not, as in the case of a CSRF attack.

CSRF tokens consist of large, random values unique to each user session and are inserted into HTML forms on both the user and server sides. Any requests generated by the user’s browser must contain the CSRF token. This allows the application server to verify a request as genuine, since a CSRF attack cannot access the token’s information in HTML (Synopsys, 2021).

SameSite Cookie Attribute

The SameSite attribute of the HTML Set-Cookie response header aims to prevent CSRF attacks by helping browsers decide when to send cookies with cross-site requests, as cookie data can allow CSRF attackers to bypass authentication processes (OWASP, 2021). Users can choose between “Lax” and “Strict” attribute values, which respectively allow or block session cookies when they arrive from external websites or when browsers encounter typical CSRF-prone request methods.

EC-Council’s Web Application Hacking and Security Certification

If you’re a cybersecurity professional seeking to gain the tools to prevent CSRF attacks, consider getting certified in Web Application Hacking and Security (W|AHS). EC-Council’s W|AHS course is a specialized web application security certification that builds on the challenges presented in other industry-respected EC-Council certification courses, such as the Certified Ethical Hacker (C|EH) and Certified Penetration Testing Professional (C|PENT), to develop your practical knowledge of how to handle advanced web application cyberattacks.

The W|AHS certification teaches advanced web hacking and security skills, covering CSRF defense, SQL injection vulnerabilities, directory browsing vulnerabilities, and 27 other core hacking and web security topics. You’ll also get to put what you’ve learned to the test with a series of “Break the Code” challenges modeled on real-world scenarios, giving you valuable hands-on experience. Learn more about the W|AHS course here, and contact EC-Council about getting certified today!