Cross-Site Request Forgery (CSRF)

What is CSRF?

CSRF is a type of vulnerability that is used by attackers to force users to take the action which they never intended to do, by exploiting their authenticated session with a trusted website.

It’s as if you were giving away your signature and they use it to sign all they want.

Why It’s Dangerous

The attack is invisible for the user.

It rolls along on your session – confident with your trust and access.

Can result in:

- Fund transfers

- Password changes

- Account deletions

- Unauthorized purchases

How to Prevent CSRF

- Use anti-CSRF tokens

- Put a distinctive, unpredictable token for each form/request

- The server verifies it before dealing with the request.

- Use SameSite Cookies

- Force SameSite=Strict or Lax to prevent a sending of cookies for the cross-site requests

- Re-authentication for critical actions (changing passwords and transfer of funds)

- leverage AJAX-specific custom headers (X-Requested-With and the likes) in order to avoid forging attacks from HTML users.

– Minimise GET requests for action that changes things.

Developer Tip:

If your app modifies data through a basic URL or a form input, chances are that you are already vulnerable.

CSRF is a bit hard to detect, but the effects can effectively be disastrous.

#CSRF #CrossSiteRequestForgery #CyberSecurity #WebSecurity TBH ADITH AJITHKUMAR