{"id":148,"date":"2025-03-19T18:52:00","date_gmt":"2025-03-19T18:52:00","guid":{"rendered":"https:\/\/racrx.io\/?p=148"},"modified":"2025-03-23T14:08:19","modified_gmt":"2025-03-23T14:08:19","slug":"csrf-demystified","status":"publish","type":"post","link":"https:\/\/racrx.io\/?p=148","title":{"rendered":"CSRF Demystified"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\"><strong>1. What is CSRF?<\/strong><\/h3>\n\n\n\n<p><strong>Cross-Site Request Forgery (CSRF)<\/strong> is a web security vulnerability where an attacker tricks an authenticated user into <strong>unknowingly executing unwanted actions<\/strong> on a web application where they are logged in.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. How CSRF Works<\/strong><\/h3>\n\n\n\n<p>A CSRF attack <strong>exploits the trust<\/strong> a web application has in a <strong>user\u2019s browser session<\/strong>. If the user is already authenticated, the browser automatically sends <strong>session cookies<\/strong>, <strong>authentication headers<\/strong>, or <strong>JWT tokens<\/strong> along with <strong>malicious requests<\/strong>, making them appear <strong>legitimate<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Attack Steps:<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Victim logs into a web application<\/strong> (e.g., online banking).<\/li>\n\n\n\n<li>The session cookie is stored in the browser.<\/li>\n\n\n\n<li><strong>Victim visits a malicious website controlled by the attacker.<\/strong><\/li>\n\n\n\n<li>The malicious site <strong>triggers a forged request<\/strong> (e.g., transferring funds).<\/li>\n\n\n\n<li><strong>Browser automatically includes session credentials<\/strong>.<\/li>\n\n\n\n<li>The request is processed as a valid action on behalf of the victim.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. CSRF Attack Example (Bank Transfer)<\/strong><\/h3>\n\n\n\n<p>Assume a banking website allows fund transfers via this <strong>legitimate request<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>POST \/transfer HTTP\/1.1<br>Host: bank.com<br>Cookie: session=abc123<br><br>amount=1000&amp;to=attacker_account<br><\/code><\/pre>\n\n\n\n<p>Now, an attacker <strong>tricks the victim<\/strong> into executing this request <strong>without their knowledge<\/strong> by embedding it in a malicious webpage:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>&lt;html&gt;<br>  &lt;body&gt;<br>    &lt;form action=\"https:\/\/bank.com\/transfer\" method=\"POST\"&gt;<br>      &lt;input type=\"hidden\" name=\"amount\" value=\"1000\"&gt;<br>      &lt;input type=\"hidden\" name=\"to\" value=\"attacker_account\"&gt;<br>    &lt;\/form&gt;<br>    &lt;script&gt;document.forms[0].submit();&lt;\/script&gt;<br>  &lt;\/body&gt;<br>&lt;\/html&gt;<br><\/code><\/pre>\n\n\n\n<p><strong>What happens?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the victim <strong>is logged in<\/strong>, their browser automatically sends the <strong>session cookie<\/strong> to <code>bank.com<\/code>.<\/li>\n\n\n\n<li>The bank\u2019s server <strong>sees a valid request from the victim<\/strong> and <strong>transfers the money<\/strong> without their knowledge.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Types of CSRF Attacks<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>A. GET-Based CSRF<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If an application <strong>performs sensitive actions via GET requests<\/strong>, attackers can exploit it by embedding an <strong>image request or iframe<\/strong>:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>&lt;img src=\"https:\/\/bank.com\/transfer?amount=1000&amp;to=attacker_account\"&gt;<br><\/code><\/pre>\n\n\n\n<p><strong>Mitigation:<\/strong> Always use <strong>POST<\/strong> for state-changing actions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>B. POST-Based CSRF<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uses <strong>hidden forms<\/strong> and JavaScript to submit a forged request, as shown in the example above.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>C. JSON\/XML CSRF (API Exploitation)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CSRF can target <strong>REST APIs<\/strong> that use cookies for authentication.<\/li>\n\n\n\n<li>Example attack via <strong>fetch() in JavaScript<\/strong>:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>fetch('https:\/\/api.example.com\/update-email', {<br>  method: 'POST',<br>  credentials: 'include',<br>  body: JSON.stringify({\"email\": \"attacker@example.com\"})<br>});<br><\/code><\/pre>\n\n\n\n<p><strong>Mitigation:<\/strong> Use <strong>CSRF tokens<\/strong> and enforce <strong>same-origin policy<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. Why is CSRF Dangerous?<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Potential Worst-Case Scenarios:<\/strong><\/li>\n\n\n\n<li> <strong>Financial Fraud<\/strong> \u2013 Attacker transfers funds from the victim\u2019s account.<\/li>\n\n\n\n<li><strong>Account Takeover<\/strong> \u2013 Changes victim\u2019s email, password, or enables 2FA for the attacker.<\/li>\n\n\n\n<li><strong>Data Theft<\/strong> \u2013 Extracts sensitive user data by modifying profiles.<\/li>\n\n\n\n<li><strong>Remote Code Execution (Chained Attack)<\/strong> \u2013 If an admin account is compromised, an attacker could <strong>escalate to full system control<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Real-World Example:<\/strong><br>In 2008, <strong>Netflix was vulnerable to CSRF<\/strong>, allowing attackers to <strong>change account details<\/strong> just by tricking users into visiting a malicious site.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>6. CSRF Mitigation Techniques<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>A. CSRF Tokens (Synchronizer Token Pattern)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>How it works:<\/strong> Every form request must include a <strong>random, unique token<\/strong>.<\/li>\n\n\n\n<li><strong>Server validates token<\/strong> before processing the request.<\/li>\n\n\n\n<li>Example token:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>&lt;input type=\"hidden\" name=\"csrf_token\" value=\"4d5f6g7h8i\"&gt;<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server verifies:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">python<br><code>if request.POST['csrf_token'] != session['csrf_token']:<br>    return \"CSRF Attack Detected!\"<br><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>B. SameSite Cookies<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>SameSite=Strict<\/code> or <code>SameSite=Lax<\/code> prevents <strong>cookies from being sent<\/strong> with cross-origin requests.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict<br><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>C. Referer\/Origin Header Validation<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server checks the <code>Referer<\/code> or <code>Origin<\/code> header to verify request origin.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">python<br><code>if request.headers['Origin'] != \"https:\/\/securebank.com\":<br>    return \"CSRF Attack Detected!\"<br><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>D. Use <code>X-Requested-With<\/code> Header (For APIs)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce <code>X-Requested-With: XMLHttpRequest<\/code> in API requests to prevent CSRF:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">javascript<br><code>fetch('\/transfer', {<br>  method: 'POST',<br>  headers: { 'X-Requested-With': 'XMLHttpRequest' }<br>});<br><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server validation:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">python<br><code>if request.headers.get('X-Requested-With') != 'XMLHttpRequest':<br>    return \"CSRF Blocked!\"<br><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>E. Disable CORS Credential Sharing<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prevent cross-origin API requests with authentication.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Access-Control-Allow-Credentials: false<br><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>7. CSRF vs. XSS: What\u2019s the Difference?<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Attack Type<\/strong><\/th><th><strong>CSRF (Cross-Site Request Forgery)<\/strong><\/th><th><strong>XSS (Cross-Site Scripting)<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>What it exploits<\/strong><\/td><td>Trust between browser &amp; website<\/td><td>Trust between user &amp; website<\/td><\/tr><tr><td><strong>Attacker needs<\/strong><\/td><td>Victim to visit a malicious site<\/td><td>A vulnerable web page<\/td><\/tr><tr><td><strong>Impact<\/strong><\/td><td>Forces victim to perform actions<\/td><td>Steals data, executes JS<\/td><\/tr><tr><td><strong>Mitigation<\/strong><\/td><td>CSRF tokens, SameSite cookies<\/td><td>Input sanitization, CSP<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>8. Conclusion<\/strong><\/h2>\n\n\n\n<p><strong>CSRF is a high-impact vulnerability that allows attackers to force users into performing actions they never intended.<\/strong><br><strong>Mitigation requires CSRF tokens, SameSite cookies, and proper request validation.<\/strong><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. What is CSRF? Cross-Site Request Forgery (CSRF) is a web security vulnerability where an attacker tricks an authenticated user into unknowingly executing unwanted actions&hellip; <a href=\"https:\/\/racrx.io\/?p=148\" class=\"apace-readmore-link\"><span class=\"screen-reader-text\">CSRF Demystified<\/span>Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-148","post","type-post","status-publish","format-standard","hentry","category-web-stuff"],"_links":{"self":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=148"}],"version-history":[{"count":5,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":184,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/148\/revisions\/184"}],"wp:attachment":[{"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}