What is Cross-Site Request Forgery (CSRF)?by Iwan Price-Evans on Security • May 18, 2022
Cross-Site Request Forgery (CSRF) is a cybersecurity attack where malicious actors exploit a legitimate user's authenticated session to submit requests to a web application without their knowledge or consent.
These requests are usually made with the intention of stealing data or money, making a purchase, or executing a complete account takeover.
How Does CSRF Work?
CSRF attacks work by tricking a user into clicking an "exploit URL" or opening a malware attachment sent to them by a third party. This type of attack is often referred to as "clickjacking."
When the victim visits the exploit URL, malicious code forces their browser to send a predetermined request to a web application, for example, a bank, e-commerce store, or social media account, using the victim's authenticated user credentials (usually in a browser cookie).
Why Are CSRF Attacks Successful?
CSRF attackers typically use a combination of phishing and social engineering to convince a victim to click on an exploit URL or to download malware. These methods often prey on people's sense of urgency, responsibility, or desire. For example, time-limited offers, requests from someone impersonating the victim's employer, or offers of free software are common successful techniques. Pages and emails that appear to come from the exploited web application are also very successful techniques, for example, fake password reset notifications.
Web applications are often vulnerable to CSRF attacks if they do not distinguish between legitimate requests from the genuine user and forged requests from an attacker controlling the user's browser.
Does CSRF Only Affect Websites?
A common misconception about CSRF is that it only affects websites. However, it can also affect mobile apps, desktop applications, and other software.
How Do I Prevent CSRF Attacks?
You can protect your web application from CSRF attacks by using CSRF tokens. A CSRF token is a unique random value generated for each user session stored in HTML and not in the user's cookies.
A secure hash function is a good way to generate a strong unique random value from a user's session ID.
You can determine that critical server-side functions must receive the CSRF token from a user's browser when making requests. You can configure your application to reject requests missing the CSRF token.
You can further protect your web application by using a web application firewall (WAF) to detect and block CSRF and other common application attacks automatically such as the vulnerabilities in the OWASP Top 10.
Does Snapt Help Prevent CSRF Attacks?
Yes. Snapt Nova's web application firewall (WAF) protects against CSRF and many other common Layer 7 application attacks including Denial of Service (DoS), Cross-Site Scripting (XSS), and data leaks.
Snapt Nova uses a centralized control plane and full REST API to provide load balancing and WAF application services on-demand to millions of nodes, making it a strong solution for protecting distributed applications in global and multi-cloud deployments.