Cross-site request forgery

What is CSRF?

Cross-site request forgery also known as CSRF is web security vulnerability that allows an attacker to perform actions that user is not intend to.

What is the impact?

In a successful CSRF attack, victim user carry out action which are unintentional to him/her. This might be to change the email address, to change password or to make fund transfer. Depending on the action made attacker might gain the full access of user’s account.

Preventing CSRF attack

Most CSRF prevention methods work by adding additional authentication data to requests. One of the method is Cookie-to-header token. In this method server set the cookie which is typically remain same for the session. Javascript operating on the client side read this cookie value and pass this token as Custom HTTP header is all transactional requests. The server validates this token and respond appropriately.

Using this method on the basis of assumption that only Javascript running on client side will be able to read the cookie’s value. Javascript running from rouge site won’t be able to read this value and copy into this custom header. Even though the token will be sent as cookie into the rouge request, server will still expect this token into custom header.

The CSRF token itself should be unique and unpredictable. The CSRF token cookie must not have httpOnly flag, otherwise Javascript won’t be able to read it and set the token in custom header.