SBN

Cross-Site Request Forgery (CSRF) Vulnerabilities

Introduction to cookies and user authentication

Cross-site request forgery (CSRF) vulnerabilities are designed to take actions on a website on behalf of an authenticated user. Accomplishing this requires making a request to a particular website while the user is authenticated to it.

Luckily for hackers, a user’s session on a website is no longer limited to the time when they have the tab open. In the name of increased convenience, websites have the option to “keep me signed in”. For a set period of time after a user authenticates to a site by entering their credentials, they will be allowed in without needing to authenticate.

DevOps Connect:DevSecOps @ RSAC 2022

This works because of cookies. When the user authenticates to a site and logs in with their credentials, the site saves a file on their system containing session information within it. The user’s browser will automatically include this cookie information in future requests to the site until the cookie expires or is deleted. This use of cookies makes CSRF attacks possible.

Cross-site request forgery vulnerabilities

While cookies are essential to a successful CSRF attack, they are not the only requirement. The attacker also needs the user to have an account on a site that performs important actions (i.e., ones that can benefit the attacker in some way) by using HTTP requests with important information contained within the HTTP request itself (via HTTP headers, verbs or a POST request). These pages should take an action with no user interaction required; visiting the page should be enough.

URLs have the ability to use verbs to pass additional information to a site. A verb, in this context, is a set of key-value pairs that appear after a question mark in the URL. For example, the URL https://www.mybank.com?uname=user&pass=Password would connect to mybank.com and (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/T8FK0_FIDgs/