Image for post
Image for post
[https://www.hobbyconsolas.com/noticias/simpson-lanzaran-episodio-escrito-hace-mas-20-anos-homer-cree-ser-nino-105672]

Who are you CSRF?

What really happens in CSRF?

Image for post
Image for post
Fig 1 — CSRF Attack in an online banking application

The main 2 steps in a CSRF attack are: a. Make the end-user click on the malicious link that the attacker sends. b. Create a link to fulfill the attacker’s goal that looks like a legitimate request which will be sent to the genuine website with the appropriate cookie.

Steps in detail:

  1. End-user access the ABC bank’s website through its URL, abcbank.com and logs in by providing the credentials.
  2. The application will authenticate the user and if it is a valid user the app will return a cookie which will be stored in the browser.
  3. Meanwhile, the attacker will prepare a link which will transfer the money from end-users account to the attacker’s account. Using the social engineering techniques the attacker will make the end-user to click on the link in order to achieve the attacker’s goal.
  4. When the end-user clicks on the link sent by the attacker, the link will be redirected to the money transferring page along with the matching cookie. This is done without the intention of the end-user.
  5. Since the cookie is a legitimate cookie the app considers this to be a valid request and completes the request by sending the money from end-user’s account to the attacker’s account.

The following images illustrate the actual money transfer between the end-user’s account and the attacker’s account.

Image for post
Image for post
Fig 2 — Money transfer between end-user’s account and the attacker’s account

As you can see in Fig 2 once the end-user click on the link provided in the attacker’s account the script in that particular site which will have the attacker’s preferred values and actions that will trigger the money transfer activity and abcbank.com will transfer the money to the attacker’s account.

Image for post
Image for post
Fig 3 — HTML form for the attacker’s site
Image for post
Image for post
Fig 4 — The corresponding web page for the code provided in Fig 3

This is one of the examples of CSRF attack in real life. The intention of CSRF is not to capture the data but instead to make use of the privilege level of the authenticated user and achieve the goals of the attacker.

Social Engineering in brief

Some social engineering recommendations:

  1. Do not open mails from untrusted sources
  2. Do not accept offers from strangers
  3. Lock your machines
  4. Use anti-virus software

CSRF Prevention mechanisms

a. Synchronizer token pattern

This is also known as an Anti-CSRF token. This is to make use of a token additionally added to the cookie passed with each request to protect the request.

b. Double submit cookie pattern

This cookie can only be sent if the request is made from the same origin as the cookie is being sent from.

More useful blogs on CSRF prevention mechanisms will be coming soon. Till then try out these concepts and have a secure coding day.

Originally published at saratechnobytes.blogspot.com.

Written by

Inquisitive

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store