How does Cross-Site Request Forgery work?

An attacker’s aim for carrying out a CSRF attack is to force the user to submit a state-changing request. Examples include:

  • Submitting or deleting a record.
  • Submitting a transaction.
  • Purchasing a product.
  • Changing a password.
  • Sending a message.

Social engineering platforms are often used by attackers to launch a CSRF attack. This tricks the victim into clicking a URL that contains a maliciously crafted, unauthorized request for a particular Web application. The user’s browser then sends this maliciously crafted request to a targeted Web application. The request also includes any credentials related to the particular website (e.g., user session cookies). If the user is in an active session with a targeted Web application, the application treats this new request as an authorized request submitted by the user. Thus, the attacker succeeds in exploiting the Web application’s CSRF vulnerability.

A CSRF attack targets Web applications failing to differentiate between valid requests and forged requests controlled by attacker. There are many ways for an attacker to try and exploit the CSRF vulnerability.

To give you an example, let’s say that Bob has an online banking account on samplebank com. He regularly visits this site to conduct transactions with his friend Alice. Bob is unaware that samplebank Com is vulnerable to CSRF attacks. Meanwhile, an attacker aims to transfer $5,000 from Bob’s account by exploiting this vulnerability. To successfully launch this attack:

  1. The attacker must build an exploit URL.
  2. The attacker must also trick Bob into clicking the exploit URL.
  3. Bob needs to have an active session with samplebank com.