Computer Security: Lecture 09-Cross Site Request Forgery

Cross-Site Request Forgery

Forces an authenticated user to submit a request to a web application without consent and Exploits the trust a site has in the users browser

How CSRF Works

Step 1: User Logs into legitimate website and receives a session cookie. The browser stores this cookie and sends it with every request to the website

Step 2: Attacker tricks user into clicking a link and when clicked it leads to an attacker controlled website with hidden code to execute a CSRF attack

Step 3: Attacker’s Site Sends Request Using Victims’s Session which sends code to request anything from the trusted website by using the victims session cookie.

Step 4: Request executes actions on behalf of the user since it uses the session cookie so it seems to the trusted website as if it is a legitimate request

CSRF Attack on GET Requests

• The user is logged into the trusted site which gives a session cookie to uniquely identify the user

• When a HTTP request is made the attacker needs to send out a forged request from the victim’s machine so that the browsers will attach the victim’s session cookies with the requests

• The attacker can place the piece of code in the form of javascript code in the attackers web page

• HTML tags like img and iframe can trigger GET requests to the URL specified in src attribute.

Fundamental Causes of CSRF

• The server cannot distinguish whether a request is cross site or same site

• The browser does know the difference

Countermeasures: Referer Header

• HTTP header field identifying the address of the web page from where the request is generated

• a server can check whether the request is originated from its own pages or not

• Since it reveals part of browsing history it causes privacy concern and is widely not used

Countermeasures: Same-Site Cookies

• a special type of cookie in browsers like chrome and opera, which provide a special attribute to cookies called SameSite

• This attribute is set by the servers and it tells the browsers whether a cookie should be attached to a cross-site request or not

Countermeasures: Secret Token

• Server embeds random secret token in web page

• The request includes the secret token

• The server validates that the token in the request matches the one expected.