DEV Community

Anh Trần Tuấn
Anh Trần Tuấn

Posted on • Originally published at tuanh.net on

Understanding CSRF: Methods to Protect Your Applications from Cross-Site Request Forgery

1. What is CSRF and Why Should You Care?

Image

Cross-Site Request Forgery (CSRF) is a type of attack where a malicious website tricks a user's browser into making an unwanted request to a different site where the user is authenticated. For instance, if a user is logged into their online banking account, a CSRF attack could trick their browser into transferring money without their knowledge.

1.1 How CSRF Attacks Work

  • User Authentication : The user logs into a trusted website (e.g., a bank) and their session is maintained using cookies.
  • Malicious Website : The user visits a malicious website while still logged into the trusted site.
  • Unwarranted Request : The malicious site sends a request to the trusted site using the authenticated user's credentials (usually through cookies).

Example : Suppose you're logged into your online banking account and visit a malicious site. The malicious site could include an image tag like this:

<img src="https://bank.example.com/transfer?amount=1000&to=attacker" />
Enter fullscreen mode Exit fullscreen mode

Since you're authenticated with the bank, the request will be executed, transferring money to the attacker’s account.

1.2 Potential Consequences

CSRF attacks can lead to various issues:

  • Unauthorized Transactions : Transfer of funds, changing account settings, or performing other sensitive actions.
  • >Data Theft : Exfiltrating personal or sensitive data.
  • User Experience : Compromising user trust and damaging the website’s reputation.

2. Methods to Prevent CSRF Attacks

Effective protection against CSRF involves implementing various security measures to ensure that requests are coming from legitimate sources.

2.1 Anti-CSRF Tokens

One of the most common methods to prevent CSRF attacks is using anti-CSRF tokens. These are unique tokens included in every form or request that must be validated by the server.

Example:

Server-Side Code (Spring Boot)

import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.stereotype.Controller;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class TransferController {

    @PostMapping("/transfer")
    public ModelAndView transferMoney(@RequestParam("amount") int amount, @RequestParam("to") String to, @RequestParam("csrfToken") String csrfToken) {
        // Validate the CSRF token
        if (!validateCsrfToken(csrfToken)) {
            throw new SecurityException("Invalid CSRF token");
        }
        // Perform money transfer
        return new ModelAndView("success");
    }

    private boolean validateCsrfToken(String token) {
        // Token validation logic
        return true;
    }
}
Enter fullscreen mode Exit fullscreen mode

Client-Side Code (HTML Form)

<form action="/transfer" method="post">
    <input type="hidden" name="csrfToken" value="${csrfToken}">
    <input type="number" name="amount" placeholder="Amount">
    <input type="text" name="to" placeholder="Recipient">
    <button type="submit">Transfer</button>
</form>
Enter fullscreen mode Exit fullscreen mode

2.2 SameSite Cookies

Another effective measure is setting the SameSite attribute on cookies. This restricts how cookies are sent with cross-site requests, adding an additional layer of protection.

Example:

Server-Side Code (Java with Servlet API)

import javax.servlet.http.Cookie;

public class MyServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        Cookie csrfCookie = new Cookie("csrfToken", generateCsrfToken());
        csrfCookie.setHttpOnly(true);
        csrfCookie.setSecure(true);
        csrfCookie.setPath("/");
        csrfCookie.setMaxAge(3600); // 1 hour
        csrfCookie.setSameSite("Strict"); // SameSite attribute
        response.addCookie(csrfCookie);
        // Continue processing
    }

    private String generateCsrfToken() {
        // Token generation logic
        return "generatedToken";
    }
}
Enter fullscreen mode Exit fullscreen mode

2.3 Referer Header Validation

Validating the Referer header ensures that requests are coming from legitimate sources. This involves checking the Referer header of incoming requests to confirm they are coming from the expected origin.

Example:

Server-Side Code (Node.js with Express)

const express = require('express');
const app = express();

app.post('/transfer', (req, res) => {
    const referer = req.headers.referer;
    if (!referer || !referer.startsWith('https://yourwebsite.com')) {
        return res.status(403).send('Forbidden');
    }
    // Perform transfer
    res.send('Transfer successful');
});
Enter fullscreen mode Exit fullscreen mode

3. Additional Tips for CSRF Protection

3.1 Use Secure Frameworks

Modern web frameworks often include built-in mechanisms for CSRF protection. Ensure you’re using these features to safeguard your applications.

3.2 Regular Security Audits

Conduct periodic security audits to identify and address potential vulnerabilities related to CSRF and other threats.

4. Conclusion

Cross-Site Request Forgery (CSRF) attacks can have serious consequences for web applications. By implementing anti-CSRF tokens, utilizing SameSite cookies, and validating referer headers, you can significantly enhance the security of your applications. Remember to use secure frameworks, educate your team, and conduct regular security audits to stay ahead of potential threats.

Feel free to leave a comment below if you have any questions or need further clarification on CSRF protection methods!

Read posts more at : Understanding CSRF: Methods to Protect Your Applications from Cross-Site Request Forgery

Top comments (0)