Cross-Site Request Forgery (CSRF), also known as Session Riding and XSRF, is a common application-layer vulnerability that allows the malicious attacker to use an active session of the victim to perform actions on his behalf without his prior knowledge or consent. CSRF incidents are hard to detect as they are disguised into normal user requests.
A regular starrer in the OWASP Top-10, CSRF attacks are fast gaining popularity in hacking circles. As per the Seperfecta (The top-4 types of cyberattacks executed today – SQL Injection, Cross-site Scripting, Directory Traversal and Cross-site Request Forgery) report released by FireHost, CSRF attacks almost doubled from Q1 of 2012 to the Q1 of 2013.
CSRF attacks manipulate the inability of the web applications to authenticate user access. These attacks typically take shape in the following manner:
As mentioned above, CSRF attacks can be executed exclusively or in tandem with other techniques. But they are most commonly initiated with the help of social engineering.
Web applications enable changes to their databases when they receive commands from the browsers, also called “task URLs”. Once a server is contacted, the user gets a unique session ID. This session ID enables the web application to recognize the input source. It then allows access to its databases. CSRF attacks manipulate this very authentication system.
Malicious attackers create contaminated “task URLs” and push them out using various social engineering techniques. Once clicked, the victim’s browser generates unauthorized requests while riding on the same session ID acquired earlier.
The victim enters his banking web application (www.mybank.com) and initiates a session. He is given a unique session ID and the interaction with the server is launched.
The malicious attacker creates a URL with a CSRF payload with the intent of stealing $1000 from the victim’s bank account. This malicious URL is pushed to the victim via the various social engineering techniques. The contaminated URL can look like:
<iframe src="http://mybank.com/app/transferAmount?amount=1000&destinationAccount=... >
The loading of the iframe sends the request to mybank.com, while riding the session the victim is already logged on to. The stolen $1000 is sent to the account specified by the hacker.
Besides the aforementioned dangers the CSRF vulnerability, it can also help initiate other types of attacks. For example, a Cross-Site Scripting (XSS) initiated CSRF attack is a potent hacking method that can cause colossal damage to organizations and private users alike.
Besides using the Checkmarx solution that provides a comprehensive solution, security officers and developers must make a habit of taking the following security measures:
CxSAST helps eradicate CSRF vulnerabilities by scanning the source code and identifying sensitive junctions where the application can be compromised. All the developer has to do is insert appropriate anti-CSRF solutions in the vulnerable junctions located by Checkmarx’s scanner. CxSAST comes with built-in CSRF queries for out-of-the-box CSRF detection.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.