Hello everyone! today we will talk about CSRF vulnerability.

What is CSRF?

Its full name is Cross-site request forgery, it’s clear that its goal is to perform a specific request/action on behalf of another user without his/her knowledge.

In web applications, the most commonly used types of requests are POST and GET. To clarify this point, see this simple GET example:

In the above example, the user can delete his/her post by visiting a link with a GET parameter (delete_post) in it that specifies the action, in our case it's Delete Post by its unique ID.

Another request example but this time it's POST:

In both examples, the attacker must convince the victim to visit a link using the same browser that his/her account is logged in on. Why? Because the most used method for login sessions is Cookies, it’s some kind of files stored in the browser - I will share another article about it later in details.

So the browser will send the cookies no matter what it is with each website page view or link click and check if the user is logged in.

So what is the problem?

The problem is that the browser can’t tell if the user made a specific action from his device or not and the server will perform the action without questions.

So if the user click on a link that redirect to:

http://my-website.com/account/server.php?delete_post=12563

their post will be deleted and sometimes without even knowing if the attack is mixed with other types of bugs such as clickjacking.

So how to prevent this attack?

And how can the browser tell the server that the request/action is from the account owner?Here comes the Token role. A CSRF token is a random long-enough string or number that is added to each request to ensure that the request is sent from an authorized source. The server will check if the token belongs to the account owner and after that the action will be executed.  Note that the token mustn’t be short, or predictable.

So, in short, the token must be on the same page with the Delete Button that the user uses to delete the post. This way, the attacker can’t tell what the token is and he/she can’t perform the attack anymore.

Conclusion

CSRF is one of the most dangerous vulnerabilities ever, because it can be integrated with other methods and lead to many other serious leaks.

Extra: antiCSRF plugin

As a web developer, I develop an open source JavaScript anti CSRF plugin.

It will add a CSRF token to all requests in page, this include HTML forms and Ajax requests. In fact, I use it in Bugreader too :)

You only need to add a line to your page without any additional:

The project on GitHub: https://github.com/moh85/anticsrf

Live demo: https://uplody.com/anticsrf/

Thank you for reading and happy hunting!