Cross-site request forgery is a kind of uniquely sinister cyberattack that occurs when a hacker makes a user carry out activities on a website or application often through dubious means. CSRF requires the attacker to create a copy of an ordinarily legitimate website, have the victim visit that site, and then retrieve the cookie for that session.
The hacker then uses the session cookie to execute online activities in the user’s place on the real website. This kind of scam relies on the success of social engineering scams.
How does cross-site request forgery work?
- The victim visits a legitimate platform to use a product or service (take, for example, their online banking page). The website will automatically create a cookie for the session and store it on the user’s browser.
- The hacker will then make a website of their own, almost a complete replica of the legitimate website. The forged website often contains a secret ‘form’ programmed to send requests to the real website.
- The hacker then sends a URL to the forged website usually sent via text, email, or other messaging media.
- The unsuspecting victim, if they click on the links, will get sent to the forged website which creates a session cookie. The attacker can then use the cookie to submit a request to its authentic variant using the user’s cookie from a previous session.
- The real website can’t tell that the request is coming from a hacker and will perform the action requested from it. If it were a bank platform, the request could be transferring money.
How to guard against CSRF attacks
- CSRF tokens: These authentic websites should consider adding a unique token per request to check against each request. Websites often include unique tokens with each request that the server checks.
- SameSite cookies: It is a special kind of cookie that ‘attribute’ developers employ to block CSRF attacks. With this kind of cookie, the browser can grant cookie requests that originate from the original website that generated it.
Referer validation: Ordinarily, websites can detect and identify the HTTP referer header embedded in incoming requests to confirm that the cookie and the site it claims to be from are the same. This can be unreliable as browsers can change the referer header.
