How To Prevent a CSRF Attack?

What is a cross-site forgery (CSRF) attack?

Cross-site request forgery (CSRF) attacks are cyberattacks from malicious websites, emails, blogs, instant messages, or applications. 

This attack tricks the user's web browser into executing an unwanted action on a secure website. Browsers typically attach session cookies when requesting a website. Thus, it becomes difficult for the site to differentiate between legitimate requests that are authorized and forged requests that have been authenticated.

CSRF attacks can be very harmful because they allow attackers to hijack user sessions and access sensitive information. They can also inject malicious code into web pages or force users to perform unwanted actions, such as buying products, transferring funds, or clicking on links.

A successful CSRF attack can result in severe damage, depending on the capabilities of the exposed application and the user's privileges. 

For example, an attack could be used to transfer funds, change a password, or make a purchase without the victim's knowledge. In other words, CSRF attacks allow an attacker to make a target system perform a function through the victim's browser without their consent or knowledge - until the unauthorized transaction has been completed.

How are CSRF attacks executed?

There are two significant steps to successfully carrying out a cross-site request forgery attack. 

The first step is to fool the victim into clicking on a link or loading a page, which can be done using social engineering and malicious links. The second step is to send a well-crafted, legitimate-looking request from the victim's browser to the target website. This request includes the attacker's chosen values and any cookies the victim has associated with that website.

Cross-site request forgery will only be effective if a victim is an authorized user on the particular site. This means the victim must be logged into the site for the attack to succeed. CSRF attacks bypass the authentication process, so some elements of the site may not be affected by these attacks, even though they are not protected against them. 

For example, a public contact form on a website is safe from CSRF because anyone can access it. CSRF only applies to situations where a victim can perform actions that are not accessible to everyone.

How to prevent CSRF attacks?

To prevent CSRF attacks, banks and merchants should use dynamically generated session tokens instead of cookies that perform session tracking. This would make it more difficult for an attacker to access a client's session.

Even though some sites have controls in place to prevent CSRF attacks, don't assume that all sites do. Many sites could have these controls today, but after an upgrade or change in the code, they may remove them later. So it's always best to be cautious and take measures to protect yourself from these types of attacks.

CSRF attacks are only possible if the user is already authenticated on a given website. The most common targets of these attacks are banking sites or any other website that deals with financial transactions due to the high usage rate of these sites.

5 best practices to prevent CSRF

1. Use anti-virus software and scan regularly

It's essential to keep your anti-virus software up to date to protect your computer from malicious scripts and viruses. CSRF vulnerabilities can be introduced by developers or through external software and libraries, so it's important to regularly scan your web applications using a web vulnerability scanner and monitor various applications' functioning.

2. Use anti-CSRF tokens

Anti-CSRF tokens are the most foolproof protection method from cross-site request forgery attacks. To take advantage of anti-CSRF tokens, use an established implementation such as CSRFGuard for Java or CSRFProtector for PHP. If there is no pre-existing solution for your working environment, then and only then should you develop your own CSRF defense mechanism.

3. Use same site cookies

Setting the SameSite attribute of your cookies to Strict is a good way to help protect your web application from CSRF attacks. If this would break your web application functionality, you can set the SameSite attribute to Lax but never to None. Not all browsers support SameSite cookies yet, but most do. Using this attribute as additional protection along with anti-CSRF tokens can help keep your web application safe.

4) Use additional authentication for sensitive actions

Ensure optimal security on your website by requiring users to re-authenticate for critical and sensitive tasks. Consider employing one-time passwords, CAPTCHAs, or password validation to safeguard against CSRF and other potentially dangerous attacks.

5) Use the custom request header technique

Custom header protection is one possible approach to CSRF protection. It is based on adding a servlet filter that checks requests to change the state of a valid CSRF token. The CSRF token is passed as a custom header and valid for the user's session duration. Such security is significant for REST APIs, which are not typically accessible from entry point pages.

Conclusion 

As more financial transactions are processed online, CSRF attacks will continue to grow. The increased use of social networks also contributes to the delivery of scripts that launch these attacks. Following the preventative measures listed in the blog above will reduce your chance of falling victim to a CSRF attack.