What is a Cross-Site Request Forgery vulnerability ?


This kind of attack simply consists of having a victim execute an HTTP request unwittingly. The goal is to make our victim consult a page to execute the actions of the page, with its privileges (usually higher than ours).

In the real life, a CSRF attack would be someone malicious who adds an item to your shopping cart when you do your supermarket shopping. The cashier would scans the product without knowing that it does not belong to you. If the attack was not detected, you would pay for the item in question.

For example :
Imagine we are consulting a blog and we want to delete an article. The problem is that we are not the administrator of this blog, it means that we do not have the necessary rights to remove this article.
Anyway we know the URL used by the administration to make an article deletion : www.mysite.com/article.php?id=154&action=delete

Of course we can’t enter this URL directly because the system checks the rights before performing any actions. The idea is to find a way to get to this URL as an administrator. We have two possibilities : use an XSS vulnerability to steal the cookies of the administrator and log in or use a CSRF to redirect the administrator to this page, and thus have the article deleted without the administrator being aware of it.

To have this HTTP request executed by the blog administrator, you can, for example, send a link to a fraudulent site that will contain hidden code. We can imagine that on this page there is an image and that its source is the deletion link of this article :
<img src = “www.monsite.com/article.php?id=154&action=delete” height = “0” width = “0”>

When the page is opened, the code is executed.


How to protect yourself against Cross-Site Request Forgery vulnerabilities ?


To protect you this kind of attack you must use tokens to be sent in addition to the other parameters. These single use tokens are used to check actions and make it impossible to predict a URL. For example in the above case it would have been necessary to add a parameter to the URL: www.mysite.com/article.php?id=154&action=delete&token=34zm17o1aphj64