CSRF (Cross-Site Request Forgery) is a type of web attack where attackers trick users into performing unintended actions on authenticated websites.
How It Works
- User Login: User logs into the target website (e.g., banking site), server creates session and returns Cookie
- Cookie Storage: Browser stores the target website's Cookie locally
- Visit Malicious Site: User visits a malicious website controlled by the attacker
- Send Request: Malicious site contains requests to the target website (e.g., form submission, AJAX request)
- Auto-send Cookie: Browser automatically sends the target website's Cookie
- Execute Action: Server validates the Cookie and executes the requested action
Attack Conditions
- User is logged into the target website
- Target website uses Cookie for authentication
- Browser automatically sends Cookies
- Target website lacks other protection mechanisms
Common Attack Scenarios
- Bank transfers
- Password changes
- Data deletion
- Sending emails
- Adding admin accounts
Defense Measures
- CSRF Token: Add random Token to forms, server validates it
- SameSite Cookie: Set Cookie's SameSite attribute
- Verify Referer/Origin: Check request source
- Double Submit Cookie: Include Token in both Cookie and request parameters
- Custom Header: Use custom Header for validation
Difference from XSS
- CSRF: Uses user's identity, doesn't require script injection
- XSS: Injects malicious scripts, can steal Cookies or execute arbitrary operations
CSRF attacks exploit the browser's automatic Cookie sending mechanism and are a significant threat to web application security.