Attack Afternoon – CSRF
CSRF stands for “Cross-Site Request Forgery” and is a classic among web application attacks. With this attack, it is possible to perform certain user actions without them noticing it. But how exactly does this attack work?
Let’s start from the beginning: Most applications identify a user via session cookies. Cookies are suitable because they are stored in the user’s browser after being set. Furthermore, the browser automatically sends the respective cookies with all following HTTP requests. However, whether the HTTP request is sent by the actual application or by a third party does not matter for the browser when cookies are transmitted.
This means that an HTTP request that comes from a user’s browser is by no means an HTTP request that is deliberately executed by the user. Every page that a user surfs to can send an HTTP request to any destination in the background via the user’s browser. For example, the website on which you are viewing holiday pictures could secretly send an HTTP request that triggers a transfer to your online banking application if that application is vulnerable to CSRF. To do this, an attacker, the mastermind behind the alleged holiday picture website, must forge the HTTP request for this transfer and send it cross-site to the online banking application – Cross-Site Request Forgery -. If you are currently logged on to the online banking application, your cookies are automatically sent along by the browser and you are identified as a customer. The transfer then goes through – under your name.
Learn in one of our next Attack Afternoons how you can effectively protect yourself against CSRF. Stay tuned!
Do you already have a CSRF protection and want to have it checked? Please feel free to contact us!
CSRF Countermeasures #1: One possibility to prevent CSRF is the usage of an anti-CSRF token.
At the it-sa 2019 we will present our innovative consulting concept Lean Application Security.
Our second office is located in Dresden, the capital of Saxony. Come have a look at our office there!
With the topic “How practical is DevSecOps really? – A field report” our colleague Maximiliane Zirm is present at this year’s Heise devSec.
In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.
In focus today: : Questions #7 and #8 – What is a penetration test? And what is it not?