Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is an attack that allows an attacker to make requests to various sites under victim user. If the victim comes to a site containing a malicious code, a request is sent from her username to another service (social network) performing a destructive action (deleting the user's account).

Example

  1. Website bank.com provides users with the functionality of transferring money by the account number
    <form method="POST" action="/transferMoney">
       <input type="number" name="accountNumber"/>
       <input type="number" name="amount"/>
       <input type="submit" value="Transfer money"/>
    </form>
  2. The money transfer form is processed only if the user is authorized on the website
  3. Website is vulnerable to Cross-Site Request Forgery attack

Attacker

  1. Determines that the website bank.com is vulnerable to the CSRF attack
  2. Finds XSS on the popular website attacker.com (or is the owner of the site) and embeds in it a code, that sends the form from the website bank.com
    <form method="POST" action="http://bank.com/transferMoney" id="csrf-form">
       <input type="number" name="accountNumber" value="1337"/>
       <input type="number" name="amount" value="200"/>
       <input type="submit" value="Transfer money">
    </form>
    <script>document.getElementById("csrf-form").submit()</script>

Victim

  1. Authorized on the site bank.com
  2. Gets on another resource attacker.com, possibly through phishing
  3. From attacker.com is performed a request for sending the form of the site bank.com
  4. As a result, money was transferred from bank.com user to the attacker's account

Explanation

Required condition is the user is authorized at bank.com. Therefore, the browser has a Cookie for the site bank.com. The bank.com code can verify the identity of the user, but can not verify that the form was sent by the user. Exploit from attacker.com will execute POST request with Cookie from website bank.com.

POST http://bank.com/transferMoney HTTP/1.1
Host: bank.com
Cookie: (bank authentication cookie)
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

accountNumber=1337&amount=200

Same-origin policy does not block the form sending from another source. Website bank.com will process the request, as if it came from the user, and make a money transfer.

  How to prevent CSRF →