IT:AD:Cross Site Request Forgery (CSRF/XSRF)

Summary

Usually a user is doing something that tells the browser to make a request to server and because the cookies are sent, everything is good. But suppose the user gets an email that says “Check out these funny kittens!” with a link to a malicious website. No one can avoid seeing funny kittens, so the user clicks the link. It turns out that the funny kittens website is a malicious website which now makes some requests to an application that only uses cookies for authentication. Perhaps the malicious request is to transfer money out of your bank account. Or perhaps it posts something on a social network. These requests will be identified AS THE USER because no matter what causes the request, the browser will send the cookies. This is CSRF and many web apps are vulnerable to it.

In its essence the steps are:

  • In a browser, User opens a confidential session to a fiduciary service (bank/paypal/etc).
  • The confidential site authenticates the user using Cookies.
  • During a break in their bank activities, the user opens another tab, or receives an email, that provides an enticing link (eg: purportedly images of kittens) to a malicious site sends to the browser a page that contains a script to make a command to the confidential site to transfer money.
  • Due to the way Browsers are designed, The malicious command goes out with the current Session cookie attached even though it came from a different tab.
  • The bank, seeing the cookie, believes the request to be genuine, and therefore the money is transferred.

Resources