Skip to content

NKCODE TECH GEEK ZONE

  • RSS - Posts
Menu
  • Home
  • Cloud
    • Azure
    • Alibaba
    • AWS
  • Hardware
  • Linux
  • Network
  • Security
  • Windows Client / Servers
    • SQL
    • Windows Client OS
      • Windows 10
    • Windows Servers
      • Windows 2008R2
      • Windows Server 2012R2
      • Windows Server 2016
      • Windows Server 2019
  • VMWARE
  • Free Tools
  • About Me
    • Disclaimer
Menu

Website Hacking With CSRF Attack

Posted on March 5, 2017

 

ross Site Request Forgery Attack is also known as CSRF or XSRF in short. Do not confuse it with Cross Site Scripting attack because it is totally different from that. Like SQL injection and XSS, CSRF is also one in top 10 OWASP web vulnerabilities for many years.



What is Cross Site Request Forgery Attack?

Cross Site Request Forgery or CSRF is an attack method in which attacker exploit users’ active session in the browser without the permission of innocent user. By using victim’s browser session, attacker sends valid requests to a website that perform some action in users’ account. User will not be able to know that the request has been sent from his browser. An Attacker uses some third party innocent websites to generate these valid requests from user’s browser.

EX: If a form on a website can also be submitted from some other website, It is vulnerable to CSRF. Suppose there is a form on a vulnerable website

(http://www.vulnerablesite.com/vulnerable.php)

<form action=”action.php” method=”post”>
</form>
And I made a duplicate form on my local host
<form action=” http://www.vulnerablesite.com/action.php” method=”post”>
</form>

I am able to submit the form by using the form on my localhost, the website is vulnerable to the CSRF attack This attack uses user’s session to perform malicious task, so it is also known as “Session Riding attack.” Sometimes it is hard to understand how this attack works in real life. So I am explaining it with the help of a example.

Suppose if an online payment website like Paypal has CSRF vulnerability. Attacker A want to exploit CSRF vulnerability of this website and attack on victim B. For this he use some third party website. Innocent User B login into his account to do check the balance and then switch to a new tab without logging out from the older tab. Session is active on the browser.

Attacker A had posted a link or image in a website that on load submits the payment transfer form to transfer money to the attacker’s account by using active session. As the request came from user’s browser by his session, CSRF vulnerable website will transfer the fund.

How CSRF is different from XSS

Many people have confusion inn between CSRF and XSS attack. In XSS, attacker exploit the trust of users on website. So we inject malicious script and user believes on it just because he see a valid website URL. Unlike XSS, in CSRF attacker exploits the website’s trust on the browser. In this, a website thinks tha a request camre from the user’s browser is made by user itself.

Both vulnerabilities are dangerous enough.

Protection against CSRF attack:

Many people thinks that limiting against XSS also limits CSRF. But this is not true. We have to make so many things to limit the attack.
There are many ways to protect the CSRF attack. Some important ways are given below:

  • Checking the HTTP Referrer header website. If it is a different domain, deny the request.
  • Limiting the lifetime of authentication cookies. If user is inactive for some fixed time, the session must be expired.
  • Limit the damage by authenticating each request made by user.
  • Use of random token for each session

About Author:
Deepanker Verma is a security researcher and tech blogger. You can read his security blog at HackingTricks.

Share this:

  • Click to share on X (Opens in new window) X
  • Click to share on Facebook (Opens in new window) Facebook
  • Click to share on LinkedIn (Opens in new window) LinkedIn
  • Click to share on Pinterest (Opens in new window) Pinterest
  • Click to share on Telegram (Opens in new window) Telegram
  • Click to share on WhatsApp (Opens in new window) WhatsApp
  • Click to share on Reddit (Opens in new window) Reddit
  • Click to email a link to a friend (Opens in new window) Email

Like this:

Like Loading...

Related

Welcome to Teck Geek Zone

Alibaba & Azure Cloud with a free trial worth $200-1200 USD Click below Cloud Providers

  • 🆚 Modern Identity Wars: Active Directory vs. Microsoft Entra ID
  • 🔷 VMware Cloud Foundation 9 (VCF 9.0): Redefining the Modern Private Cloud
  • From ARM to HCL: Exploring Azure’s New Export Template to Terraform Feature
  • 🛡️ Strengthening Your AWS Security: Best Practices Explored
  • From Backup Center to Business Continuity Center: A New Era in Azure BCDR Management

Categories

  • Cloud (178)
    • Alibaba (38)
    • AWS (36)
    • Azure (109)
  • Free Tools (5)
  • Hardware (17)
  • Linux (13)
  • Network (28)
  • Security (21)
  • VMWARE (51)
  • Windows OS (44)
    • Windows 10 (7)
  • Windows Servers (69)
    • SQL (3)
    • Windows 2008R2 (7)
    • Windows Server 2012R2 (15)
    • Windows Server 2016 (20)
    • Windows Server 2019 (10)

Subscribe to our newsletter

©2025 NKCODE TECH GEEK ZONE | Design: Newspaperly WordPress Theme
 

Loading Comments...
 

    %d