What is Cross-Site Request Forgery (CSRF)? More importantly, how can your business take action against it? Here's everything you need to know about this threat, its potential impact and your best defense.
CSRF attacks are listed among the OWASP Top 10, but they are often overlooked in favor of Cross-Site Scripting (XSS) vulnerabilities, advanced malware or inherent software flaws that make headline news. But cross-site forgery problems can be just as devastating if they're not quickly identified and defeated. At their most basic level, CSRF attacks force end users to execute actions in an authenticated web application without their knowledge. These attacks focus on state-changing requests — such as transferring funds or changing an account's linked e-mail address — rather than theft of data.
Here's how it works: Users log into secure web applications and then visit other sites, outside their local perimeters, which host CSRF attack code. This code forges a request for the authenticated site using the victim's authenticated credentials, and the authenticated site has no way to know the difference. For example, if a user is legitimately logged into www.mybank.com and opens a browser window for www.shadywebsites.com, a Cross-Site Scripting attack could be configured to transfer money out of his or her bank account. All it takes is one click on a hidden IFrame or a malicious e-mail link. And since the victim's browser has no way of knowing the difference between legitimate and CSRF requests, users are often unaware they've been compromised.
What's more, banks and other secure web services often resist classifying this as fraud, since the request originated from the user's secure session. The threat is even more worrisome if you're using an administrator account, since CSRF attacks can compromise every aspect of an authenticated web app.
As noted by Threat Post, cross-site forgery attacks are now cropping up in the WSO2 Identity Server — which could give attackers the ability to add arbitrary users to the server. E&T adds United Airlines is now offering a bug bounty program that pays out for finding CSRF vulnerabilities. While they're classified as "low severity" along with XSS and third-party problems, they still pay 50,000 air miles if discovered.
So how do companies defend against this growing threat? OWASP lists several defenses that do not work, such as using secret cookies or designing apps to only accept POST requests. Secret cookies are submitted with every request, even when forged, while tricking victims into submitting forged POST requests demands nothing more than a hosted form containing myriad hidden fields.
An effective way to handle CSRF threats is the use of unpredictable challenge tokens, which are included per user per session; the technique is even more effective if tokens are submitted with each request. This could take the form of one-time code that must be submitted with each request, or a CAPTCHA challenge that would alert users if requests were submitted without their knowledge. While these tokens may impact the simplicity of user experience, they represent one of the most effective ways to stop CSRF attacks from stealing money or grabbing log-in credentials by redirecting e-mails.
Bottom line: The number of Cross-Site Request Forgery attacks is growing as users become more inclined to leverage secure web applications while browsing the Internet at large. Combined with phishing lures and seemingly legitimate websites that host CSRF code, it's possible for almost any user — from frontline employee to administrator — to fall victim. By designing for web security from the ground up, however, and opting for challenge tokens or a similar defense, companies can make sure any forgeries are quickly uncovered.
Want more information about active threat modeling for web- and cloud-based threats? Start here.
Photo Source: BigStock