CSRF (Cross Site Request Forgery) is a type of attack where the user’s browser is attacked when browsing around various websites, emails or messages that cause the user’s browser to behave in a certain fashion as intended by the attacker over trusted website where the user is already authenticated.
The impact of CSRF depends on the strength of the exposed vulnerability, for instance – a cash transfer, credentials changes, posting ads and so forth. Basically, CSRF is a vulnerability exposed in request and response of HTTP protocol.
How Does Cross Site Request Forgery Works?
CSRF is a very powerful attack that exposes web vulnerabilities and can result in catastrophic loss and exposure. Take for instance, if the compromised browser belongs to the administrator user then the whole web application is compromised along with the browser or if the user is authenticated to secure banking environment can cause huge loss. Therefore, the impact of the attack completely relies on the type of user being attacked. But however, CSRF is based on following parameters:
- Cookies and Session.
- URL of web production.
- Commonly used HTML tags.
- Information stored in browser.
When site’s authentication information is sent from browser in terms of Cookies and Session then the application is completely vulnerable as cookies and session information are automatically sent on request of information from browser to server, and cookies and session can be manipulated to perform the desired task.
On the other hand, specific HTML tag can go unnoticed when manipulated. Take for instance, HTML image ‘src’ tag that can be manipulated to be redirected to the attacker’s desired URL and browser has no valid mechanism to detect such vulnerability.
Using above techniques, attackers can influence the user to click on various links or even without clicking in some case resulting in sending messages, deleting information and committing transactions.
How To Prevent CSRF Attacks
CSRF is completely relying on GET and POST request for committing actions that result in a nightmare. Thus, to prevent CSRF we must take necessary steps to validate GET and POST request.
If you’re a website programmer than include uniquely generated token along with all forms and links to commit crucial actions, and validate the same identity over server side to validate if the action is actually desired or not. If the unique identification is validated, then commit action else don’t do anything.
You can see that the simple precaution can save you from CSRF. Don’t get lousy when adding one simple line of code that can save you from surprising hassle.