Cross Site Request Forgery(CSRF)

What is it

This is similar to XSS but differs slightly.

Imagine the scenario where

  • You have more than one tab open in your favorite browser
  • You are browsing a site in one of the your tabs
  • That site has an image which refers to one of the sites you have open in your other tab and is executed when this image is loaded / clicked
  • Since the other site is already open and hence has a corresponding cookie authorizing you to it, any command / script executed by the malicious site will get executed on it and the victim site thinking you issued the command.

How serious is it

CSRF vulnerabilities are serious but require too many conditions to be true, making it less likely possible. This should not to be used as an excuse to ignore it as its impact is more or less similar to an XSS attack.

The impact of command injection may result in

  • Addition of a new user
  • Transferring data from the current system;
  • Starting / stopping a system service
  • Installing a malicious software like key loggers, virus, Trojan, worms etc.
  • Gaining access to the data contained in your system (loss of Confidentiality)
  • Possible loss of data (loss of Availability)

The amount of data an attacker can retrieve depends on multiple factors like his creative skills, system design and implementation.

How to prevent

Check the HTTP referrer header. The http referrer header will tell us the origin and whether it could be trusted.

Implement account timeouts

  • Putting account timeouts would ensure that the window of opportunity is small.
  • Request for authentication data while making a request
  • In other words ask for password one more time before a transaction to ensure that the request is not auto-generated.

Implement Secure Software Development Lifecycle (SSDLC)

Secure Coding guidelines although critical form ONLY a piece of the puzzle. In order to ensure that applications are secure, security need to be bolted right from the requirements stage and should extrapolate across every other stage be it Design, Coding, Review, Testing, Release or implementation.

Add a secret token in all user specific actions. Do not put this secret token in a cookie. Verifying the secret token in all user actions would ensure that no automated requests are entertained.