Oct 25, 2018
0 0

Concept Behind Cross-Site Request Forgery.

Written by

Cross-site Request Forgery, aka CSRF or one-click attack, is a diffused security issue issue where unathorized commands are sent from the user’s browser to a web site or a web application. CSRF is different from Cross-Site Scripting in the sense that it does not need to inject code into trusted pages, but can work from untrusted ones thanks to the open architecture of the web.

A quick example

I was browsing the bug tracker of a popular web service to propose an improvement, where I saw that the only Critical ticket was related to CSRF vulnerabilities.

The website uses links for the deletion of the current user’s data, such as /delete_my_items. When a user follows the link present on his account page, his session cookie establish his identity and his data is deleted.

To perform an attack, we only have to make the user load this URL. A simple link would probably not work, but we can easily reach the same goal with an image:

<img src="http://techandsecurity.net/delete_my_items" />

We just have to provide a link to a page containing this image for the user, or send it to him in an HTML email.

How it works

Unlike for XMLHttpRequest, images and other resources can be loaded from whatever hostname, and even if the image tag is hosted on a different website it won’t matter.

Since the request is performed by the user’s browser, it will transmit the session cookie as it would for any application.com page.

The point of all CSRF attacks is tricking the browser into sending an unwanted HTTP request so that there is no need to steal the identity of the user. That’s probably why our banks log us out after 2 minutes of inactivity or require one-time tokens to authorize money transfers.

READ ALSO  A Simple Virus Written...in Bash!

The assumptions of CSRF

In order for a CSRF attack to be possible, some assumptions have to be verified:

  • the attacked website does not check the Referer HTTP header so that it accepts requests originating from external pages.
  • The web site accepts data modification via form submissions or URLs that have side effects which the attacker can exploit.
  • The attacker can determine all the values for the request inputs. In the simplest case, authentication is done exclusively via a session cookie and so the attacker just have to fill non-sensitive fields.
  • The user must load a malicious page containing the attacker’s code. Judging by the amount of Facebook Likejacking, clicking on everything that moves is a pretty common behavior.


Every countermeasure can raise the bar and make CSRF more difficult to perform.

First of all, don’t use GET for operations with side-effects. CSRF relies on requests that produce side-effects like deletions or data modifications, and using GET just makes these requests simpler to perform.

POST however is not enough: an attacker can submit a form using JavaScript once the page is loaded, and create a phantom POST request.

There are different alternatives to avoid CSRF for POST requests.

1. The Referer header

You can check the Referer HTTP header and verify that the request originated from a page internal to your web application. The Referred can be spoofed very easily by a malicious user agent, but the common user is running a general purpose browser, not a malicious user agent.

This approach assumes no one can inject HTML/JavaScript in your pages to originate a request; otherwise the referrer would be correct.

READ ALSO  Simplifying Kubernetes With Docker Compose and Friends

The issues is that referrer stripping is really commonup to 11% of HTTP requests do not contain it; for example, corporate proxies or old user agents commonly strip it away. Thus, strict referrer checking would lock out more than a tenth of your user base from making POST requests.

2. Session Token

Solutions based on a one-time token for forms are by far more popular: the token is saved in the user’s session and transmitted in each official form.

Zend_Form_Element_Hash is an example of this technique: a hidden field is added to forms and populated with the token. To make a successful request, the attacker must know the user-specific token, but can’t access it since an external page cannot load a form on another domain via JavaScript.

In 2011, this is the standard approach.

3. Double-submitted cookie

A variant of the previous technique consists in matching a token sent with the form and with a cookie, instead that with a session value.

Due to the same origin policy, JavaScript code loaded from another host cannot read a cookie set on the official hostname. Thus while official forms will send the value along with the cookie, the attacker’s ones will have to guess the value of the cookie to include it in the request (an impossible task if the value is long enough.)

The advantage of this variant is that less server resources are occupied to store form tokens, and you won’t be the subject of a DDOS attack based on multiple form loading.


The proposal of the most famous paper on CSRF is to add an Origin header to HTTP, in alternative to Referer. This head would be sent only for POST requests, and would contain only an hostname instead of a full URL, to ensure privacy.

READ ALSO  Web Browser Address Bar Spoofing

The techniques described in this article are viable and worth a thought for any application that contains useful data; they hinder testability with certain instruments that build HTTP requests, but they are not an issue for browser-based tools like Selenium.

If You Had Any Query Please Use comment Box Or Reach Me At  (Follow this link to message me on WhatsApp: https://wa.me/441173251891)

Article Tags:
· · · · · ·
Article Categories:
In-Depth Concepts · Information · Premium


Comments to Concept Behind Cross-Site Request Forgery.

  • Cadianhealth Propecia E Impotencia Comprar [url=http://bestlevi.com]levitra without prescription[/url] Como Tomar Propecia Viagra Lilly Icos Viagra Tablets India [url=http://rxbill8.com]cialis 5 mg best price usa[/url] Wann Fangt Cialis An Zu Wirken Us Made Cailis Acticin 30gm Shop Amex Accepted Is Amoxicillin In Penicillin Family Cialis Generico Marca Priligy Generique [url=http://cialiviag.com]cialis 5mg[/url] Retin A From Online Store El Cialis Es Malo Alli Canada

    JeaInorse December 24, 2018 4:35 pm Reply
  • Orlistat No Prescription Cialis E Zoloft [url=http://aquedan.com]buy sertraline no prescription[/url] Mejor Cialis Levitra Cytotec Marrakech Marca Propecia Finasteride Knee Infection Keflex What Does Cephalexin Cure Cialis Viagra Toscana [url=http://cialiprice.com]cialis[/url] Is Amoxicillin Made From Pinicillin Cialis Mazatlan Mexico Comprar Viagra Online Espana Parkizol Online Cialis Trial Packs Express Shipping [url=http://cialibuy.com]cialis 5 mg[/url] Proven Ways To Last Longer In Bed Pedidos De Viagra Keflex W Insurance [url=http://bestlevi.com]levitra sold over the counter[/url] How To Get Zithromaz Without Prescription Over Night Shipping Order Cheapest Flagyl In Salem Malegra 100 Sunrise Cytotec Sans Ordonnance [url=http://mdsmeds.com]buy cialis online[/url] Cialis Viagra Doctissimo On Line Fluoxetine Need With Free Shipping Store

    JeaInorse January 8, 2019 7:33 pm Reply
  • Osu Viagra Precio Farmacia Priligy Tijuana [url=http://sildenaf100mg.com]viagra[/url] Buy Cipro Xr 500mg Online Concepimento Propecia Finasteride Discount Generic Accutane

    JeaInorse January 18, 2019 8:02 pm Reply
  • Online Pharmacies In Usa Overnight [url=http://viaabuy.com]viagra[/url] Where Can I Purchase Viagra Online No Presription Finasteride Como Tomar Cialis 20 Mg [url=http://rxasian.com]viagra[/url] Salem Vpxl Fluoxetine Us Pharmacy [url=http://gaprap.com]viagra[/url] Cephalexin And The Treatment Of Mrsa Buy Generic Accutane No Prescription Viagra Costo In Italia Can You Get High On Cephalexin Productos Kamagra [url=http://orderlevi.com]realcheaplevitra[/url] Fastest Shipping Generic Viagra

    JeaInorse January 24, 2019 10:07 pm Reply
  • Viagra Usa Overnight Delivery Sexpill Eli Lilly Cialis [url=http://drugsir.com]cialis overnight shipping from usa[/url] Propecia Usa Merck Lexapro No Perscription Viagra Types Of Amoxicillin 500mg Capsules [url=http://costofvia.com]viagra[/url] Compare Viagra Canadian Costs Professional Viagra Next Day [url=http://cialibuy.com]canadian pharmacy cialis 20mg[/url] Orlistat Without Prescription In Canada

    JeaInorse February 4, 2019 4:55 pm Reply
  • Cialis Sold Cheap Clavamox Cephalexin Interactions [url=http://buycheapcial.com]cheapest cialis[/url] Viagra 100mg Canada Pharmacy

    JeaInorse February 18, 2019 11:39 am Reply
  • Viagra Generic Very Very Cheap [url=http://try-rx.com]cialis overnight shipping from usa[/url] Cheap Real Cialis Dutasteride Where To Buy By Money Order Shop Hydrochlorothiazide Order Secure Ordering With Free Shipping Shop

    JeaInorse March 10, 2019 2:17 am Reply

Leave a Reply

Your email address will not be published. Required fields are marked *