• Skip to main content
  • Skip to primary sidebar

Technipages

Smart phone, gadget and computer tutorials

  • Topics
    • Android
    • Gaming
    • Hardware
    • Internet
    • iOS
    • MacOS
    • Office
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
What Is Cross-Site Request Forgery?

What Is Cross-Site Request Forgery?

Posted on October 30, 2020 by Mel Hawthorne Leave a Comment

CSRF or Cross-Site Request Forgery is a website vulnerability where an attacker can cause an action to happen in a victim’s session on another website. One of the things that makes CSRF so much of a risk is that it doesn’t even require user interaction, all that’s needed is for the victim to view a webpage with the exploit in it.

Tip: CSRF is generally pronounced either letter by letter or as “sea surf”.

How does a CSRF attack work?

The attack involves the attacker creating a website that has a method of making a request on another website. This could require user interaction, such as getting them to press a button, but it could also be interactionless. In JavaScript there are ways to cause an action to happen automatically. For example, a zero by zero pixel image won’t be visible to the user but can be configured so its “src” makes a request to another website.

JavaScript is a client-side language, this means that JavaScript code is run in the browser rather than on the webserver. Thanks to this fact, the computer that makes the CSRF request is actually that of the victim. Unfortunately, this means that the request is made with all the permissions that the user has. Once the attacking website has tricked the victim into making the CSRF request, the request is essentially indistinguishable from the user making the request normally.

CSRF is an example of a “confused deputy attack” against the web browser as the browser is tricked into using its permissions by an attacker without those privileges. These permissions are your session and authentication tokens to the target website. Your browser automatically includes these details in any request it makes.

CSRF attacks are somewhat complex to arrange. First of all, the target website needs to have a form or URL that has side effects such as deleting your account. The attacker then needs to craft a request to perform the desired action. Finally, the attacker needs to get the victim to load a webpage with the exploit in it while they’re signed into the target website.

To prevent CSRF issues the best thing you can do is include a CSRF token. A CSRF token is a randomly generated string that is set as a cookie, the value needs to be included with every response alongside a request header which includes the value. While a CSRF attack can include the cookie, it no way to be able to determine the value of the CSRF token to set the header and so the attack will be rejected.

You Might Also Like

  • What Is Cross-Site Scripting?
    What Is Cross-Site Scripting?
  • Site to Site VPN Explained in Detail
    Site to Site VPN Explained in Detail
  • How to Request Payment Using Payoneer
    How to Request Payment Using Payoneer
  • Fix Discord Friend Request Not Working
    Fix Discord Friend Request Not Working
  • Fix Google Chrome Bad Request Error 400
    Fix Google Chrome Bad Request Error 400
  • How to Request a Read Receipt in Gmail
    How to Request a Read Receipt in Gmail
  • Google Chrome: Bypass "Blocked a frame with origin from accessing a cross-origin frame" Error
    Google Chrome: Bypass "Blocked a frame with origin…
  • Teams: This Site Won't Load in Your Desktop App
    Teams: This Site Won't Load in Your Desktop App
  • Office 365: You Are Not Authorized to Access This Site
    Office 365: You Are Not Authorized to Access This Site

Filed Under: Internet

Reader Interactions

Did this help? Let us know! Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Group Open Tabs on Chrome
  • Dropbox: How To Review Your Security Settings
  • Teams: Disable All Chat Notifications During Meetings
  • Microsoft Teams: Share to Outlook Not Working
  • Teams: Manage External Access With PowerShell
  • VR Oculus Quest 2: What Is Hand Tracking?
  • Microsoft Teams: How to Enable NDI Streaming
  • Microsoft Teams: Enable Background Effects and Blur

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

Follow me on Twitter, or visit my personal blog.

You May Also Like

© Copyright 2021 Technipages · All Rights Reserved · Privacy