November 27, 2020

Cross-Site Request Forgery (CSRF)

Make the victim user to carry out some action unintentionally from their browser.

Target Area

On the Attacker controlled site is where the malicious HTML onto a web site that they control, and then induce victims to visit that web site. This might be done by feeding the user a link to the attacker controlled web site, via an email or social media message.

Requirements

  1. A relevant action, that the attacker has to convince the victim to do
  2. Cookie-based session handling
  3. Predictable request parameters

Attacks

  • Any XSS can be used to bypass CSRF protections
  • Replay attack

Defenses

  • Use a nonce
  • Token based
    • SERVER-SIDE Synchronizer token; generated per session or per request
    • DON’T put the token in a cookie
    • DO put the CSRF token in hidden fields, headers, and can be used with forms, and AJAX calls.
    • Make sure that the token is not leaked in the server logs, or in the URL.
    • CLIENT-SIDE Encryption based token;
  • Use built-in framework protections
  • SameSite Cookie attribute for session cookies
  • Use custom request headers

User Advice

  • Logging off sites before visiting another.
  • clearing browser’s cookies at the end of each browser session

CSRF Token

A CSRF token is a unique, unpredictable value that is generated on the server-side and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client. When the later request is made, the server-side application validates that the request includes the expected token and rejects the request if the token is missing or invalid.

CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user. Since the attacker cannot determine or predict the value of a user’s CSRF token, they cannot construct a request with all the parameters that are necessary for the application to honor the request.

CSRF tokens should be treated as secrets and handled in a secure manner throughout their lifecycle. An approach that is normally effective is to transmit the token to the client within a hidden field of an HTML form that is submitted using the POST method. The token will then be included as a request parameter when the form is submitted:

<input type="hidden" name="csrf-token" value="717MSS4r1XbjsIF37I0yWnWX9wX4WFoz" />

Nonce

Authentication protocols may use nonces to stop replay attacks.

For instance, nonces are used in HTTP digest access authentication to calculate an MD5 digest of the password. The nonces are different each time the 401 authentication challenge response code is presented, thus making replay attacks virtually impossible.