CSRF: Definition and Concept

Cross-site request forgery (CSRF) is a web vulnerability where a site is tricked into accepting an HTTP request that appears to come from an authenticated user but was actually initiated by an attacker. In practice, it abuses the browser's automatic sending of credentials (like cookies) to perform unintended actions on behalf of the victim.

Core definition

CSRF is an attack that forces a logged-in user's browser to send a crafted request to a target application, causing a state-changing action such as updating profile data, changing a password, or transferring funds, without the user's explicit intent. The application trusts the incoming request because it carries valid credentials (for example, the user's session cookie), and typically cannot distinguish it from a genuine user-initiated request.

Risks Associated with CSRF Exploitation

CSRF exploitation poses significant risks by enabling attackers to perform unauthorized actions on behalf of authenticated users. These risks escalate based on the victim's privileges and the application's functions.

Account Compromise

Attackers can change user details like email addresses or passwords, often leading to full account takeover via password resets. If the victim holds admin rights, this extends to controlling the entire application, including user data and settings.

Financial and Data Loss

Exploitation frequently targets banking or e-commerce sites, resulting in unauthorized transfers, purchases, or data modifications without user awareness. Victims may lose funds or sensitive information, such as personal details or transaction history.

Broader System Impacts

Stored CSRF flaws amplify threats by embedding attacks within the site itself, increasing execution likelihood for all visitors. Outcomes include privilege escalation, denial-of-service crashes, or bypassing security controls, damaging trust and operations.

The Mechanism Behind CSRF Attacks

CSRF attacks operate by exploiting the browser's automatic inclusion of authentication credentials in requests to trusted sites. Attackers craft malicious content that triggers these requests without user awareness, leveraging the victim's active session.

Attack Prerequisites

The target application must perform state-changing actions via requests lacking unique, unpredictable tokens, relying solely on session cookies for authentication. Victims need to be logged in, with browsers sending cookies automatically to the target domain during cross-origin requests.

Execution Steps

Attackers create HTML pages with hidden forms, image tags, or JavaScript that submit forged GET/POST/PUT requests mimicking legitimate actions, such as fund transfers or password changes. Delivery occurs via phishing links, malicious sites, or embedded content that auto-executes on page load, fooling the server into processing the request as authentic.

Technical Exploitation

Forms use methods like <form action="https://target.com/action" method="POST"> with attacker-controlled parameters, submitted via onload JavaScript. Advanced variants employ XMLHttpRequest or iframes for seamless, invisible requests, succeeding if parameters are predictable.

Building a Cross-Site Request Forgery Payload

CSRF payloads are crafted as HTML snippets hosted on attacker-controlled sites to trigger unauthorized requests. These exploit browsers sending session cookies automatically, mimicking legitimate user actions like form submissions.

Basic POST Payload

A common payload uses a hidden form auto-submitted via JavaScript to change an email address on a vulnerable site.

<html>
<body>
<form action="https://vulnerable-website.com/email/change" method="POST">
  <input type="hidden" name="email" value="pwned@evil-user.net" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

This executes silently when loaded, sending the POST with victim credentials.

GET Request Variant

For GET-based actions, an image tag triggers the request without interaction.

<img src="http://www.example.com/api/setusername?username=CSRFd">

Attackers embed this in pages or emails to perform actions like parameter changes.

Advanced JSON POST

Modern apps may use XMLHttpRequest for JSON payloads, bypassing some protections with text/plain content types.

<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://www.example.com/api/setrole");
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.send('{"role":admin}');
</script>

This targets APIs, escalating privileges if no token validation exists.

Mechanisms for Triggering a CSRF Exploit

CSRF exploits are triggered when a victim's browser, already authenticated to the target site, loads or interacts with attacker-controlled content. This causes the browser to send forged requests using the victim's valid session credentials automatically.

Social Engineering Delivery

Attackers lure victims to malicious pages via phishing emails, spam links, or forum posts containing exploit URLs or HTML. Once loaded, the page executes the request silently while the victim remains logged into the target application.

Auto-Submitting Elements

Hidden forms with JavaScript like document.forms[0].submit() trigger POST requests on page load. Image tags (<img src="https://target.com/action?param=value">) or script tags handle GET requests without user clicks.

Stored and Advanced Triggers

Stored CSRF embeds exploits in site comments or profiles, executing for authenticated visitors viewing the content. Iframes, XMLHttpRequest, or method overrides (e.g., POST to bypass CORS) enable stealthy execution in modern browsers.

Standard Mitigation Techniques for CSRF

Standard mitigation techniques for CSRF focus on breaking the attack chain by requiring proof of legitimate origin or intent. These include token validation, cookie attributes, and request restrictions, often layered for defense in depth.

Synchronizer Tokens

Applications generate unique, unpredictable tokens per session or form, embedding them in hidden fields or headers. Servers validate the token on state-changing requests (POST, PUT, DELETE), rejecting mismatches since attackers cannot predict or read them due to same-origin policy.

SameSite Cookies

Setting session cookies with SameSite=Strict or Lax prevents browsers from sending them on cross-site requests, blocking forged actions. Strict mode applies to all cross-site requests; Lax allows safe methods like GET from top-level navigation.

Custom Headers and Checks

AJAX requests include non-standard headers (e.g., X-CSRF-Token) settable only same-origin, which cross-site attackers cannot forge. Servers verify headers, Origin, or Referer; avoid sole reliance on Referer due to suppression risks.

Additional Practices

Require user interaction (e.g., re-authentication) for sensitive actions and restrict GET to read-only operations. Modern frameworks like ASP.NET auto-generate antiforgery tokens for forms.