Towards Dev
Published in

Towards Dev

#2 Security Threats — CSRF / XSRF

Cross-Site Request Forgery

Hello Everyone, Welcome to my blog 🙏.
I hope you are all safe and that this blog finds you in good health ❤️.

In my previous blogs, we have learnt about
1. Cross-Site Scripting (XSS) & Preventing it with
Content Security Policy (CSP)

In this blog, we will learn more about
👉 Cross-Site Request Forgery

CSRF / XSRF

Introduction

Cross-Site Request Forgery (CSRF/ XSS) is a security vulnerability where the user is influenced by the attacker to perform unwanted actions without the intent of the user on which they are currently authenticated.

Impacts of CSRF

👉 Victim unknowingly executes transactions.
👉 It exploits the User’s trust in the site & browser.
👉 Loss of sensitive data & access.

How does CSRF work?

To understand it better, let’s take an example:

Jaco is an ambitious person who wants to pursue his career as a chef.
One day, he was browsing some articles and happened to see a unique website where they were several recipes and started to check those. He clicked on a link with “Download recipe book”. Seeing it, Tom immediately clicked on it, and he downloaded a PDF with no content in it.
Then he realised that it was some issue with the website but, after some time, he got a message of a transaction of $200.
He was shocked and complained to the bank. They have checked the transaction details and informed Tom that he himself made that transaction. But, he was unaware of that transaction, and Bank officials couldn’t help Tom.
Tom was not only the first customer to report it. There were a few other complaints too.
So, Bank Officials soon shut their servers, investigated the issue and found that all the requests made with the “GET” method were not secure and validated.

What has happened?
Evil is a hacker who was the reason behind the unintentional transactions made by Tom & other customers of the bank.
He researched the bank website and noticed that it had CSRF vulnerability, all the requests are of the “GET” method, and query params are in the URL as below:

After knowing this, he made some fancy and attractive elements to the few websites that are not secure enough. So, Tom who clicked on the
Download e-book” link was one among those websites.

This way, Tom was tricked by Evil.

Now, that we knew that CSRF can be dangerous, let’s understand different ways to prevent it.

Preventive measures

💥 Do not use GET requests for state-changing operations, if used protect them from CSRF attack.
💥 Any Cross-Site Scripting (XSS) preventive measures can be used to defeat all CSRF mitigation techniques.
💥 Modern-day frameworks have this inbuilt, if not use X-CSRF tokens for all the requests.
💥 Use Synchronizer token pattern for unique token generation.
💥 Use Double Submit Cookie.
💥 Use Same Site Cookies.

XSS vs CSRF

Difference between XSS & CSRF

Adding to the above differences,
In comparison, XSS is more harmful than CSRF.
If the site is vulnerable to XSS, then it is also vulnerable to CSRF converse need not be true i.e. CSRF attack can still happen if the site is protected from XSS.

For more information, please refer 👇
👉CSRF Documentation
👉 CSRF Prevention Sheet

Here we go, That’s it folks for this blog. Hope everyone liked it.
If you like it, give it a clap 👏 ,
and share it with your friend.

For more exciting content on Frontend, Please do follow me 🎯.

Thanks a lot, Everyone 🙏.
Until Next time,
Happy Learning ✍️

Abhishek Kovuri, UI developer

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store