A CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. The malicious code is often not on the attacked site. This is why it is called “Cross Site”.
Let us take the example of a web site that has an administrative interface that lets the administrator add and suspend users. Once the administrator has logged in, it tracks him with an authentication token, let’s say a cookie.
A cookie is an entity that is available to the browser and is linked to a particular website. Let us say cookie A is linked to a our example website. Whenever the browser has to send a request to a website, it will also send along all cookies associated with the site.
A possible sequence of events that will trigger this type of attack:
– The administrator logs in to administrative interface.
– He is tricked into visiting a malicious website while logged in to the administrative interface.
– The malicious website automatically makes a request for an action inside the administrative interface (suspend a user)
– The request is routed through the victim’s browser which makes the request to our example website and sends along all the cookies linked to our example website
– Our example website complies with the request (suspends the user) as the request was accompanied by the authentication token (cookie)
So, unknown to the victim, an action has been performed on his behalf. The act of visiting the malicious website, clicking on any links is not required, is enough to trigger the attack.
This type of attack usually involves some amount of social engineering where the attacker tricks the user into visiting a malicious website. The attacker also requires some knowledge of the URLs used by the website.
This vulnerability is extremely widespread, as any web application that
– Has no authorization checks for vulnerable actions
– Will process an action if a default login is able to be given in the request (e.g. http://www.example.com/admin/doSomething.ctl?username=admin&passwd=admin)
– Authorizes requests based only on credentials that are automatically submitted such as the session cookie if currently logged into the application, or “Remember me” functionality if not logged into the application, or a Kerberos token if part of an Intranet participating in integrated logon with Active Directory
is at risk.
This vulnerability is also known by several other names including Session Riding, One-Click Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack. The acronym XSRF is also frequently used. OWASP and MITRE have both standardized on the term Cross Site Request Forgery and CSRF.