Cross-Site Request Forgery (CSRF) ⚔️ Deep Dive 🔍
Description
CSRF is an attack where an attacker tricks a victim into unknowingly submitting a request. This request can be forged, leading to actions being performed on behalf of the victim without their consent. CSRF attacks often target state-changing requests, such as changing passwords or making financial transactions.
How it’s done:
1. Crafting Malicious Payload:
An attacker creates a malicious payload, typically in the form of a crafted URL or script .
This payload includes the target endpoint (e.g., changing email settings) and any required parameters.
2. Social Engineering:
The attacker convinces the victim to click on a link or visit a page containing the malicious payload.
This can be achieved through phishing emails, malicious websites, or other methods.
3. Unintentional Execution:
When the victim visits the page, the malicious payload executes, making a request to the target site on behalf of the victim.
The victim’s authenticated session on the target site is used, leading to unauthorized actions.
Countermeasures:
1. Anti-CSRF Tokens:
Include a unique anti-CSRF token in each HTML form. This token is validated on the server to ensure that the request is legitimate.
<form action="/change-email" method="post">
<input type="hidden" name="csrf_token" value="..."><!-- Anti-CSRF Token -->
<input type="email" name="new_email" required>
<button type="submit">Change Email</button>
</form>
# Server-side validation (using Flask as an example)
from flask import Flask, request, session, abort
app = Flask(__name__)
app.secret_key = 'your_secret_key'
@app.route('/change-email', methods=['POST'])
def change_email():
# Validate CSRF token
if request.form.get('csrf_token') != session.get('csrf_token'):
abort(403) # Forbidden
# Process the request
new_email = request.form.get('new_email')
# ... (update user's email)
return 'Email changed successfully'
2. SameSite Cookie Attribute:
Set the `SameSite` attribute on cookies to control when cookies are sent with cross-site requests.
# Set the SameSite attribute in a Flask application
from flask import Flask, session
app = Flask(__name__)
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
3. Origin Header Validation:
Verify the `Origin` or `Referer` header on the server to ensure requests originate from an expected domain.
# Server-side validation (using Flask as an example)
from flask import Flask, request, abort
app = Flask(__name__)
@app.route('/change-email', methods=['POST'])
def change_email():
# Validate Origin or Referer header
origin = request.headers.get('Origin')
if origin not in ['https://yourdomain.com', 'http://localhost:3000']:
abort(403) # Forbidden
# Process the request
new_email = request.form.get('new_email')
# ... (update user's email)
return 'Email changed successfully'
4. Check for Idempotent Requests:
Ensure that state-changing requests are idempotent or require additional authentication for critical actions.
# Server-side validation (using Flask as an example)
from flask import Flask, request, abort
app = Flask(__name__)
@app.route('/transfer-funds', methods=['POST'])
def transfer_funds():
# Check if the request is idempotent
if request.headers.get('Idempotent') != 'true':
abort(403) # Forbidden
# Process the request
amount = request.form.get('amount')
# ... (transfer funds)
return 'Funds transferred successfully'
5. Logout on Close:
Implement a session timeout or require re-authentication for sensitive actions, and encourage users to log out when done.
# Set session timeout in a Flask application
from flask import Flask, session
app = Flask(__name__)
app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=15)
Implementing a combination of these countermeasures significantly reduces the risk of CSRF attacks. However, it's essential to carefully consider the specific requirements of your application and ensure that these countermeasures are integrated into your overall security strategy. Regular security audits and testing are crucial to identify and address potential vulnerabilities.
