Lecture 09 – Cross-Site Request Forgery (CSIT-460 Computer Security)

29 question-and-answer flashcards summarizing Lecture 09 on Cross-Site Request Forgery, covering definitions, attack mechanics, HTTP basics, browser behaviors, and major countermeasures such as SameSite cookies and CSRF tokens.

What does Cross-Origin Resource Sharing (CORS) allow a server to do?

Whitelist specific origins so that browsers can make permitted cross-site requests, relaxing the same-origin policy.

In HTTP, which method is normally used to request data without changing server state?

The GET method.

Which HTTP method is typically used to send form data that the server will process or store?

The POST method.

What is Cross-Site Request Forgery (CSRF)?

A web vulnerability where an attacker causes an authenticated user’s browser to send unwanted requests that carry the user’s session credentials, performing actions without the user’s consent.

Whose trust is exploited during a CSRF attack?

The trust the target web application places in the user’s browser session.

In a normal, safe request flow, who originates the request received by the trusted website?

The user, interacting directly with pages from the trusted website.

During a CSRF attack, where is the malicious request generated?

From a different origin controlled by the attacker—such as a malicious link, image, or website.

Why can a CSRF attack succeed against a banking site that uses GET requests for transfers?

Because the victim’s browser automatically attaches the valid session cookie to the attacker-supplied GET URL, making the request look legitimate to the server.

What are the two kinds of requests a server must distinguish to prevent CSRF?

Same-site requests (originating from its own pages) and cross-site requests (originating from other sites).

Why can’t servers rely on the Referrer header alone to stop CSRF?

Referrer headers may be missing, blocked, or modified for privacy, so they are not dependable.

What browser feature lets servers declare that cookies should not be sent with cross-site requests?

The SameSite cookie attribute.

Name the two primary SameSite modes and describe their behavior.

Strict: cookies are never sent on cross-site requests. Lax: cookies are sent on top-level navigation but withheld from most other cross-site requests.

What is a CSRF (secret) token?

A unique, unpredictable value generated by the server and embedded in each form or action URL; it must accompany every sensitive request and be validated by the server.

How does the secret token approach block CSRF?

Attackers cannot guess or obtain the valid token, so any forged request lacks a correct token and is rejected by the server.

List three key security properties of a good CSRF token.

Unique per user session, randomly generated, and inaccessible across origins (protected by the same-origin policy).

What two hidden fields does Elgg embed for CSRF protection?

_elggtoken and _elggts (timestamp).

In the SEED lab GET-based attack, what HTML element is abused to send the forged request?

An tag whose src attribute points to the vulnerable action URL.

In the SEED lab POST-based attack, how is the malicious form submitted automatically?

JavaScript executes document.getElementById('attack').submit() when the page loads.

After enabling Elgg’s gatekeeper() check, what happens to the previous CSRF attack pages?

Their requests are rejected because they lack valid _elggtoken and _elggts values.

What single sentence summarizes modern CSRF defense best practices?

Use properly configured SameSite cookies together with per-request CSRF tokens to ensure only intentional, site-originated actions are processed.

Which HTTP header can reveal the page that initiated a request and sometimes helps detect CSRF?

The Referer (or Referrer) header.

What role does the browser’s same-origin policy play in CSRF token security?

It prevents malicious sites from reading the token embedded in pages from the legitimate origin.

In the banking example, which URL parameter values convey the attacker's intent?

to=3220 (attacker’s account) and amount=500 (amount to transfer).

Why is CSRF particularly dangerous for users already authenticated on high-value sites?

Their active session cookies automatically accompany forged requests, granting the attacker the same privileges as the victim.

Name three ways a user might be lured into triggering a CSRF attack.

Clicking a deceptive link in an email, loading an attacker’s site that auto-submits a form, or viewing an embedded image or script on a compromised page.

How does the browser determine whether to send a SameSite=Strict cookie?

It checks if the request’s top-level site matches the cookie’s origin; if not, the cookie is withheld.

What simple code change re-enabled CSRF protection in the SEED lab’s Elgg instance?

Removing or commenting out the line ‘return true;’ at the top of the gatekeeper() function in ActionsService.php.

Which HTTP request type (GET or POST) is safer for performing state-changing operations, and why?

POST is safer because it is less likely to be triggered unintentionally (e.g., by images or links) and can include a CSRF token in its body.

When observing HTTP traffic in the SEED lab, which browser tool tab helps you see individual requests and parameters?

The Network tab of the browser’s Web/Developer Console.