NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
May 28, 2020

Web app vulnerability basics: Cross-site request forgery

Justin Fimlaid Justin Fimlaid

This is the second installment in a series on Web Application Vulnerability Basics.

What Is Cross-Site Request Forgery?

Cross-Site Request Forgery, also known as CSRF and XSRF, is a web application attack that tricks a victim into submitting a malicious request to a web app that they are currently authenticated to. Since the victim is authenticated, the malicious request appears to be a legitimate request from the victim. The victim is usually unaware of the attack, and CSRF can easily go unnoticed. A CSRF attack is most commonly exploited using cross-site scripting but can also be triggered by a malicious phishing link or email.

This can allow for an attacker to change the victim’s passwords, make purchases, initiate bank transfers, and much more, all appearing as legitimate requests from the victim.  If the victim is a privileged user, attackers can use CSRF to create new accounts, modify and exfiltrate sensitive data, and lead to a complete compromise of the web application.

 

How does CSRF Work?

Some web applications use cookies and other identifying information to maintain an authenticated session when a user is logged in, and browsers will include this info when sending requests to the app. CSRF takes advantage of this by tricking a user into sending a malicious request to the web app, and since the browser includes the session identifying information the web server sees the request as a valid request by the user. Therefore, a CSRF attack enables an attacker to create, delete, modify, or remove data in a web app on behalf of the victim, without their knowledge.

For example, a victim is logged into mywebapp and an attacker is trying to change their password via CSRF. The attacker can craft a request that will change the password of the user that is currently logged in, which looks like the following: <pre>mywebapp/settings?newpassword=1234</pre>. The authenticated victim is then tricked into clicking on the link, and the web server will execute the password change. If an attacker already has executed a stored XSS attack on the website, the attacker can have the victim’s browser request the crafted CSRF address automatically when the victim views the page, and change the password of any logged in user who views the page.

 

CSRF Mitigation Techniques

 

Token-Based Mitigation

Token-based mitigation is the most widely used way to counter CSRF and has proven to be effective. Some frameworks have native support for CSRF Token Mitigation, so make sure to check if one exists before implementing a custom solution. Token-based mitigation solutions are separated into two different groups, stateful and stateless tokens. Use whichever is appropriate for your application and scenario, as both stateful and stateless tokens accomplish the same objective.

Stateful tokens, sometimes referred to as Synchronizer tokens, are generated per user session or request. Tokens are usually stored in a hidden HTML field and passed to the client and when the client makes a request it must include the provided token in the request. This is a fairly easy process to implement and has little impact on the user experience, but very hard to get around using CSRF.

When using stateless tokens, the web server will generate a session ID and a timestamp, and either hash or encrypt the token. The serve distributes the token to the client, and when the client sends a message back to the server it includes the token. Depending on the method used, the server will either decrypt the token and compare it to the stored token or hash the stored token and compare it to the client’s hashed token. If the tokens match, the web server will allow the request.

 

Other Techniques

There are a few additional mitigation techniques that are used to counter CSRF, but these should not be used as a replacement for token-based mitigation. Use these strategies to enhance the security of token-based mitigation, but not as a replacement.

  • Verify the origin of the request header using standard headers
  • Use custom request headers
  • Employ a robust content security policy to prevent XSS used to execute CSRF attacks
  • Require user interaction and reauthentication to execute sensitive requests

 

Conclusion

CSRF can be a dangerous web application exploit but can be easily mitigated. Ensure that you are protecting against CSRF attacks to protect your users and your application. A great way to verify your protection against CSRF is to employ a NuHarbor Web Application Penetration Test.

 

Follow us on Social Media for more information:

Twitter facebook LinkedIn instagram

[hubspot type=form portal=9212203 id=78ed4f55-84a0-4cb8-bae7-8d92e16878ab]

 

Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Compliance 3 min read
10 Application Security Authentication Requirements Read More
2 min read
Web app vulnerability basics: Cross-site scripting Read More
Compliance 4 min read
6 Requirements in PCI DSS 3.0 That You Should Plan For Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.