Cross-site request forgery

2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities.

📘CompTIA CySA+ (CS0-003)

1. What is CSRF?

Cross-Site Request Forgery (CSRF) is a type of web application attack where an attacker tricks a user’s browser into performing actions without the user knowing.

  • Think of it as the attacker “forging” a request from the victim’s browser.
  • The browser is already authenticated on a website, so the request seems legitimate to the web application.

Key points:

  • The attacker does not steal login credentials directly.
  • The attack exploits the fact that browsers automatically send authentication cookies or tokens with requests.

2. How CSRF Works

  1. A user logs into a web application (e.g., an internal company portal).
  2. The web application stores a session cookie in the user’s browser to remember they are logged in.
  3. The user visits a malicious website or clicks a malicious link.
  4. The malicious site sends a request to the trusted web application using the user’s credentials (cookies/token).
  5. The web application executes the action because it thinks the request is legitimate.

Example in IT terms:

  • A user is logged into a banking web app.
  • The attacker tricks the user into visiting a malicious site.
  • The malicious site submits a request to transfer funds from the user’s account.
  • Since the request comes from the logged-in browser, the banking app thinks it’s valid.

3. Common Targets in IT Environments

CSRF usually targets actions that change data or perform transactions:

  • Account settings: Changing email, password, or contact info.
  • Financial transactions: Transferring funds, making purchases.
  • Admin actions: Creating/deleting users, changing permissions in a web portal.
  • Software settings: Changing configurations in SaaS platforms (like Jira, Confluence, or internal admin dashboards).

4. CSRF Indicators / Signs

Cybersecurity analysts should look for:

  • Unexplained user activity on web apps.
  • Unauthorized changes in account settings.
  • Requests coming from unexpected referrers.
  • Absence of anti-CSRF tokens in POST requests.

5. Mitigation and Controls

To protect web applications and users from CSRF, you can implement several layers of controls:

a) Anti-CSRF Tokens

  • Web applications should generate a unique token for each user session.
  • This token must be submitted with every form or state-changing request.
  • The server validates the token before executing the request.
  • If the token is missing or incorrect → request is blocked.

Example:
A web app’s “change password” form includes a hidden token like csrf_token=abc123. The server only allows the password change if this token is valid.

b) SameSite Cookies

  • Set cookies with the SameSite attribute to prevent them from being sent in cross-origin requests.
  • Values:
    • Strict – Cookies sent only to same-site requests.
    • Lax – Cookies sent to same-site and top-level navigation GET requests.
    • None – Cookies sent everywhere (requires secure flag).

Benefit: Prevents CSRF from requests coming from malicious websites.

c) Require Re-authentication

  • For critical actions, force the user to re-enter credentials.
  • Example: Changing admin settings or performing a fund transfer requires a password prompt or 2FA.

d) Verify HTTP Referrer / Origin Header

  • Check the request’s Origin or Referrer header to ensure it comes from a trusted domain.
  • Block requests that originate from unknown domains.

e) User Awareness / Education

  • Inform users to log out of web apps when not in use.
  • Avoid clicking suspicious links while logged in to sensitive systems.

6. Summary Table – CSRF Mitigation

Control TypeHow It Works
Anti-CSRF TokenUnique session token in forms validated by server
SameSite CookiesPrevents cookies from being sent in cross-origin requests
Re-authenticationForces user to re-enter credentials for critical actions
Referrer / Origin ValidationBlocks requests from untrusted domains
User AwarenessEducates users to log out and avoid unsafe links

7. Exam Tips

  • Remember: CSRF exploits trust in the browser, not the server.
  • Always link mitigation to web application context, e.g., forms, cookies, admin actions.
  • CSRF is different from XSS (which exploits trust in the user).
  • Know anti-CSRF tokens and SameSite cookies – these are commonly tested.

Quick Recap in Simple Words:

  • CSRF tricks your browser into doing something you didn’t ask it to do, using your login session.
  • Fix it by checking every request (tokens, cookies, headers) and forcing re-authentication for sensitive actions.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by