Cross-Site Request Forgery (CSRF) is a type of web security vulnerability where an attacker tricks a logged-in user into performing unwanted actions on a web application without their knowledge. Unlike XSS, which targets the user’s browser to execute scripts, CSRF targets the trust that a web application has in a user’s browser. If the user is authenticated on a website, the attacker can make the browser perform actions such as changing account settings, transferring funds, or submitting forms on behalf of the user.

For example, consider a banking website where the user is logged in. A URL that transfers money might look like:

https://bank.com/transfer?amount=1000&to=attacker

If the attacker sends a hidden request to this URL while the user is logged in, the browser will include the session cookies, and the transfer will execute without the user’s consent. This happens because the web application does not distinguish between legitimate requests initiated by the user and malicious requests forged by an attacker.

There are two main types of CSRF:

  1. Stored CSRF: The malicious request is hosted on a server or webpage controlled by the attacker. When the user visits that page, the browser automatically performs the action.
  2. Reflected CSRF: The malicious request is embedded in a link, email, or form. The user must click the link, which triggers the request with their session cookies.

Common targets for CSRF attacks include forms that update account details, change passwords, submit posts or comments, and perform financial transactions. Any state-changing operation that relies solely on cookies for authentication is potentially vulnerable.

CSRF Example

Suppose a website allows changing the email address via a simple GET request:

https://example.com/change-email?email=attacker@example.com

An attacker could send this link in a hidden image tag:

<img src="https://example.com/change-email?email=attacker@example.com" />

If the user is logged in, their browser will make the request automatically, changing their email address to the attacker’s email.

Prevention

Preventing CSRF requires ensuring that requests are intentionally made by the user. Common methods include:

  • CSRF Tokens: Add a unique, unpredictable token to forms and requests that must be submitted back to the server. The server rejects requests without a valid token.
  • SameSite Cookies: Configure session cookies with the SameSite attribute to prevent them from being sent on cross-origin requests.
  • Double Submit Cookies: Send the CSRF token both as a cookie and a request parameter, and verify they match.
  • Re-authentication for Sensitive Actions: Require users to re-enter their password or perform additional verification for critical operations.

By implementing these measures, web applications can defend against CSRF attacks, protecting users from unauthorized actions performed through their authenticated sessions.

Conclusion

CSRF is a critical vulnerability that exploits the trust between a user’s browser and a web application. Understanding how it works and applying proper mitigation techniques, such as CSRF tokens and secure cookie settings, is essential for developers to protect users and prevent unauthorized actions. Even with strong authentication, failure to prevent CSRF can lead to account compromise, data manipulation, and financial loss.