What is CSRF?
CSRF stands for Cross Site Request Forgery. It’s also known as session riding or XSRF. It is a process of hacking the data from a site through another site without the user’s knowledge. CSRF will be used to perform actions of the attackers using the session of the website which is used by the victim.
Normally when the user is logged into the website, a session will be created. Let us consider that user wants to log in into his banking application and parallelly he is also using the attacker’s website named xyz.com. So when the user is logged in, the attacker will send some auto submitting forms to the target site.
Let us see in detail with an example. Currently, the user is in attackers site named xyz.com/csrf.html and there is a hidden auto submitting a form in the page which will submit the request to the banking website.
<html> </span><span class="s1"><body onload=“document.frames[0].submit()”> </span><span class="s1"><span class="Apple-converted-space"> </span><form action = “<a href="http://sssbank.com/action.html"><span class="s2"><b>http://sssbank.com/action.html</b></span></a>" method=“post”> </span><input name1=“send_money” value=“10000”> <input name2=“A/c number” value=“01333243242432345465”> <span class="s1"></form> </span><span class="s1"></body> </span><span class="s1"></html></span></p> <p class="p1">
The attacker will hide this form in the iframe as
<iframe width=“0” height=“0” style=“visibility:hidden;” src=“<a href="http://xyz.com/csrf.html"><span class="s2">http://xyz.com/csrf.html</span></a>">
So now he can put this iframe in any of his websites and on loading the page which contains this iframe will make us to auto submit the form to the banking application and the action will be successful if the user is logged into the banking application.
Phishing:
The easiest way to exploit CSRF from a technical point of view is to have complete control over the CSRF site. Then convince your victim to visit the site. Phishing is done for both large-scale and targeted attacks.
For targeted attacks, phishing is even more effective. Intranet and administrative systems are excellent CSRF targets, and an attacker can tailor his or her phishing emails for those targets. For example, if attacking an intranet, phishers can send an email purporting to be from a corporate training partner or insurance provider. If attacking a blog, phishers can email the maintainer of a cool site. If attacking a helpdesk system, phishers can email support about a problem with the site. The victim needn’t perform any actions on the CSRF site—merely visiting the site is enough.
How to Protect Our Websites from CSRF Attack:
We can’t protect our websites from the CSRF attack by adding the confirmation screens for the sensitive actions. Attackers can bypass the confirmation screens, the better way to avoid it is to add another type of validation like sending the OTP’s etc., For changing the password the user should be asked to enter his/her current password so that the attacker cannot change the password by merely submitting the form that contains the new password.
Generating Nonce:
The Nonce is a unique token which will be generated before submitting the form and the nonce will be validated after submitting the form. Many web development languages have the support to generate the nonce. For example, rails will automatically avoid CSRF by generating the authorization token for every form.
Using CAPTCHAs:
Another way to avoid CSRF is by asking the user to enter the randomly generated CAPTCHA so that the attacker cannot know the CAPTCHA generated and he will end up with a failure.
Using Token Based Authentication:
Instead of using the sessions for authorization the web developer can use the token based authentication where the tokens will be verified on each and every request. e.g.: JWT(JSON Web Tokens)
How users can protect themselves from CSRF Attack
1. Logging Out whenever not needed:
CSRF requires the user to be logged in to perform the attack. So by logging out from the website whenever it’s not required will secure you from the CSRF attack.
2. Changing Default Passwords:
Most Attackers will perform the CSRF attack using the default password provided by the websites. The default passwords will remain same for all the users until the user changes it.
3. Using different Browsers:
Most CSRF targets require the victim to have an active session on the website in order for the attack to work. One way users can protect themselves from CSRF attacks is to use one browser for browsing sensitive, trusted sites and another for general browsing. For instance, a corporate user might use Microsoft Internet Explorer to browse his/her corporate intranet, and Firefox to browse the Internet.
Conclusion
Cross-site request forgery is a subtle attack technique that can be extremely toxic. In some cases (such as attacks against a user management system that allow an attacker to create administrative users), it can lead to the complete compromise of a web-based system. So it is essential for the developers to develop their website and applications keeping it in mind. We at Mallow Technologies, keep these security measures in mind before creating a web application.
–
Sairam Reddy,
ROR Team,
Mallow Technologies.