Cross-site request forgery

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. This attack can happend by phishing, clone site, etc … Conditions have to be present for this attack to be perform :

• A relevant action. : Change password, email, rights, …
• Cookie-based session handling. : Website with cookie base for sessions are an incredible candidate for this type of attack
• No unpredictable request parameters. Every element should be known or obtainable to be able to forge the request

Here is a schema to check for CSRF from PATT:

Some examples

• No defenses

  <form method="$method" action="$url">  
  <input type="hidden" name="$param1name" value="$param1value">  
  </form>  
  <script>  
  document.forms\[0\].submit();  
  </script>

• JSon and JS combined

  <script>
  var xhr \= new XMLHttpRequest();
  xhr.open("POST", "http://www.example.com/api/setrole");
  xhr.setRequestHeader("Content-Type", "text/plain");
  //xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  //xhr.setRequestHeader("Content-Type", "multipart/form-data");
  xhr.send('{"role":admin}');
  </script>

How to prevent them

• Unpredictable with high entropy, as for session tokens in general.
• Tied to the user’s session.
• Strictly validated in every case before the relevant action is executed.