InfoSec Awareness: CSRF

CSRF means Cross Site Request Forgery and also known as a one-click attack or session riding . With CSRF attacks, browsers are hijacked to “do” things to a website without a user knowing. It’s the proverbial trojan horse where there is an inherent trust from a site that the user/browser is doing something trusted and so attacks riding the coat tails of such trust are given the same trust that the user would also get. An attacker may forge a request to log the victim in to a target website using the attacker’s credentials; this is known as login CSRF.

A simple example (does not actually exist) would be that an authenticated user in WordPress with admin privileges is tricked into clicking a link (as the authenticated user) and then admin privileges are transferred to the attacker. We’ve seen this kind of attack on Facebook and Twitter before where DMs or messages are spread across Facebook walls or via Twitter DM).

Prevention

Individual Web users using unmodified versions of the most popular browsers can do relatively little to prevent cross-site request forgery.

Logging out of sites and avoiding their “remember me” features can mitigate CSRF risk; not displaying external images or not clicking links in spam or untrusted e-mails may also help.

Challenge-Response is another defense option for CSRF. The following are some examples of challenge-response options – CAPTCHA, Re-Authentication (password), One-time Token

Advertisements