Skip to content

CSRF

In CSRF an attacker submit request to the site where the victim user already has an authentication session.

An attacker can send request on site1 using XSS in site2, or using own web site.

Protection mechanisms:

2023043023452929 CORS SOP

js in xss injection in site2 can't read response from request to target site site1.

202304302357011 Same site Cookies

when js in xss injection execute request to other site (site1) browser don't send site1 Cookie. But it depends, see details in article about same site 202304302357011 Same site Cookies

Protection in web server

Some implementation: 1. In get requests web server generates some CSRF token and send them in response in the header "CSRF token" and in the cookie "CSRF-Token". This cookie must be httpOnly with samesite=strict 2. The web application when doing POST PUT DELETE requests sends in the request header CSRF Token gotten from the previous get request 3. The web server checks that the value from the request header "CSRF token" matches the value from the cookie "CSRF Token"

[[2023090416075757 An example of CSRF attack]]

References

  1. web200.Cross-Origin-Attacks.Cross-Site Request Forgery
  2. (Scott Helme, 2019), https://scotthelme.co.uk/csrf-is-really-dead/