What is a CSRF attack and how do we prevent it?

To stop the loss of cash and credentials in a CSRF attack, both developers and users have an important role to play. This time we will discuss what a CSRF attack is and how to prevent it?

Cross-Site Request Forgery (CSRF) is one of the oldest ways to exploit site vulnerabilities. It targets the server-side web, which usually requires authentication, such as logging. During a CSRF attack, the attacker aims to force his victims to make malicious web applications that are not authorized on their behalf.

Poor or poor website security practices and inattention to users are some of the common causes of successful CSRF attacks. Let’s see what CSRF attacks are and how to prevent them as a developer or user.

Read also: What is reverse engineering: functions, examples and stages

What is CSRF?

Cross-Counterfeiting (CSRF) is also known as “Session Riding” or “One-Click Attack”. This attack is a type of malicious Exploit attack against web application users. This attack was listed as the seventh most exploitable of the top 10 web attacks.

CSRF is an attack that allows an attacker to make any unauthorized HTTP POST / GET requests on behalf of the victim currently logged on to a website. There are many types of web attacks performed using this CSRF technique, from the least dangerous to the most dangerous.

Read also: What is SQL injection: how it works, examples and types

How does the CSRF attack affect the victims?

CSRF is an attack used to implement unauthorized requests during web actions that require user authentication or authentication. CSRF attacks can take advantage of session IDs, cookies, and other server-based vulnerabilities to steal user credentials.

For example, activating anti-CSRF procedures prevents malicious interactions between domains. Once this barrier is overcome, an attacker can quickly exploit a user’s session ID through a cookie created by the user’s browser and embed script tags in vulnerable websites.

By manipulating IDs, attackers can also redirect visitors to other web pages or exploit social engineering methods, such as email to send links, causing victims to download malicious software.

After the victim performs such an action, the perpetrator sends an HTTP request to the user’s service page and authorizes the request to support the attacker. This can be very harmful for unsuspecting users.

A successful CSRF attack can result in a user losing access credentials to the attacker, especially during server-based actions, such as requests to change their password or username. In a worse scenario, the attacker takes over the entire session and acts on behalf of the user.

CSRF was used to hijack fund transactions on the web, as well as to change usernames and passwords, causing users to lose access to affected services.

How attackers hijack CSRF user sessions

The main targets of CSRF attacks are web actions that involve user authentication. In order to be successful, the unintentional action of the victim is needed.

During a CSRF attack, GET, DELETE and PUT actions, as well as vulnerable POST requests are the main targets of attackers. Let’s look at the meaning of those terms:

  • ACHIEVE: Requests to collect results from the database; for example, Google search.
  • POST: Usually to submit a request through a web form. POST requests typically occur during user registration or authentication, otherwise known as authentication.
  • REMOVE: To delete a resource from the database. Do this every time you delete your account from certain web services.
  • PUT: PUT requests modify or update existing resources. An example is renaming Facebook.

In practice, attackers use session hijacking to support CSRF attacks. When using this combination, attackers can use hijacking to change the victim’s IP address.

The change of IP address then redirects the victim to a new website where the attacker entered a fake link that sends an exactly created form or a modified server request that he made through CSRF.

The unsuspecting user then believes that the redirect is from the service provider and clicks on a link on the attacker’s web page. Once they do this, the perpetrator sends the form to the page without knowing it.

CSRF GET Request Example of attack

Imagine trying to make an online payment through an unsecured e-commerce platform. Platform owners use GET requests to process your transactions. That GET query might look like this:

https://www.websiteurl/bayar?jumlah=$10&perusahaan=[perusahaan%20ABC%27s%20account]

A hijacker can easily steal your transactions by changing the GET request parameters. To do this, all they have to do is change your name to theirs and, worse, change the amount you are willing to pay. Then they changed the original query to something like this:

https://www.websiteurl/bayar?jumlah=$20000&perusahaan=[attacker%27s%20account]

After clicking the link to the modified GET request, you accidentally transfer to the attacker’s account.

GET request transaction is a bad practice and makes the activity vulnerable to attack.

Example of CSRF POST request attack

Many developers believe that using POST requests is safer to make web transactions. While this is true, unfortunately, POST requests are also vulnerable to CSRF attacks.

To successfully hijack a POST request, all an attacker needs is the current session ID, a form of invisible duplication, and sometimes a little psychological manipulation.

For example, a POST application form might look like this:

<form action="Perusahaan ABC's account" method="POST"><input type="text" name="name" placeholder="name"><br><input type="number" name="jumlah"><br><input type="submit" name="submit"></form>

However, an attacker can change your credentials by creating a new page and changing the form above:

<body onload="document.getElementById('payment-form').submit();"> <form action="Attacker's account" id="payment-form" method="POST"><input type="text" hidden name="name" placeholder="name"><br><input type="number" hidden value=30000 name="jumlah"><br><input type="submit" hidden name="submit"></form> </body>

In the manipulated form, the attacker sets the value of the amount field to “30000”, changes the recipient’s account number to his number, sends the form to the page load, and also hides the user form field.

After hijacking the current session, your transaction page initiates a redirect to the attacker’s page, which asks you to click on a link that I know you are most likely to visit.

Clicking on it uploads a replicated form, which transfers your funds to the attacker’s account. This means you don’t have to click a “submit” button for the transaction to take place, because JavaScript does this automatically when the next web page loads.

Alternatively, an attacker could create an HTML embedded email outline by asking you to click on a link to submit the same page upload form.

Another vulnerable action to a CSRF attack is to change your username or password, for example a PUT request. The attacker replicates your request form and replaces your email address with theirs.

They then steal your session and redirect you to a page or email you asking you to click on an interesting link.

Then send a manipulated form that sends a password reset link to the perpetrator’s email address, not yours. This way, the perpetrator changes your password and logs you out of your own account.

How to prevent CSRF attacks as a developer

One of the best ways to prevent CSRF is to use a token that changes frequently instead of relying on session cookies to execute changes to the server.

Many modern backend frameworks provide security against CSRF. So if you want to avoid the technical aspects of upgrading to CSRF, you can easily get around it by using server-side frames that come with built-in anti-CSRF chips.

When you use an anti-CSRF token, server-based requests generate random strings instead of more vulnerable session cookies. This way, you can protect your session from being guessed by hackers.

Implementing a 2-factor authentication system (2FA) to execute transactions in your web application also reduces the chances of CSRF. CSRF can also be initiated by creating scripts between sites (XSS), which involves injecting script into a user field, such as a comment form. To prevent this, it’s a good practice to enable automatic HTML escape in all user form fields on your site. Prevent form fields from interpreting HTML elements.

How to prevent CSRF attacks as a user

As a user of web services that involve authentication, you have a role to play in preventing attackers from stealing your credentials and sessions through CSRF. Make sure you use a reliable web service during activities that involve transferring funds. In addition, use a secure web browser that protects users from exposure to sessions, as well as secure search engines that protect against browsing data leaks.

As a user, you can also rely on third-party authenticators, such as Google Authenticator or alternatively to verify your identity via the web. While you may not be able to prevent attackers from hijacking your sessions, you can still help prevent them by ensuring that your browser does not store information such as passwords and other login details.

Conclusion

So what is CSRF? CSRF is a type of attack that is carried out by executing commands on the system without having the authority to do so. CSRF is achieved by exploiting security gaps in the system.

Developers need to test web applications regularly for security breaches during development and deployment. However, it is common to introduce other vulnerabilities while trying to prevent other vulnerabilities. Therefore, be careful not to violate any other security settings when trying to block CSRF.


So many articles What is a CSRF attack and how to prevent it. Looking forward to more interesting articles and don’t forget to share this article with your friends. Thank you…

Leave a Comment

/* */