DEV Community 👩‍💻👨‍💻

Joy Palumbo
Joy Palumbo

Posted on

CSRF Attacks

CSRF stands for Cross-Site Request Forgery. It's a web-security vulnedrability that allows an attacker to force a user to perform actions they don't actually want to do. It's often referred to as a one-click attack because often all it requires for a user to do is one click. With just one click, it can allow an attacker to change a user's email or password, transfer funds or completely take over a users account. Luckily with CSRF attacks, the attacker cannot access any vulndrable data about the user. But that beings said, CSRF attacks can still do a lot of damage. CSRF attacks are in the top 10 mosyt frequently used attack methods.

Alt Text

Attackers usually accomplish a CSRF attack using HTTP requests. An attacker can do this by creating a web page. Within the webpage (usually in the html) they can insert an HTTP request to a specific website. The HTTP request can then be triggered and sent when a user clicks on a link or submits a form. Belowe is an example of code an attacker could put in their html. The action has a link to whatever website they want access to and specificially the page that changes a users email address. Then the attacker inserts their own email address. If the user is currently logged onto that specific site when the HTTP request is triggered,their cookies will enamble the attacker to access their account.

<br> document.forms[0].submit();<br>

It is a developer's responsibility to protect their users from CSRF attacks. Unfortunately CSRF attacks are very easy to produce so it is imperative that developers set up ways to prevent CSRF attacks. Developers should use CSRF anti-forgery tokens. These tokens are hidden in the htlm code and when the server renderes a page that has sensitive information, it requires an anti-forgery token, and the server will validate it. Another way a developer can protect their site is with SameSite cookie attributes. SameSite was created by google and other browers, such as fire fox have adopted it too. This allows developers to tells the browser whether or not to send cookies to a third-party domain.

Users should be careful though. You can't assume that all websites, even big named websites are protected. Often times sites aren't protected or they haven't protected their site correctly. A couple examples of big named companies that have been vulnedrable to CSRF attacks are Netflix, google, UTorrent and YouTube, just to name a few. A few things users can do to protect themselves are: Have up-to-date anti-virus soft wear. Some CSRF attacks can install malware on your computer. Also, only having one tab open in your browser at a time, always logging out after going to sensitive sites, such as a bank website, and don't store passwords in your browser.

In conclusion, even though data cannot be accessed through CSRF attacks they are still bad and can cause damage. CSRF attacks are very easiy to create. A few things a developer can do to prevent CSRF attacks are anti-forgery tolkens and SameSIte cookies.

Top comments (0)

Now it's your turn.

Join DEV and share your story.