Cross Site Request Forgery (CSRF)

When we using computers, it would be better if we know about security risks also. Therefore today I will consider about computer security problem. I'm writing this post to talk about a common type of cyber attack which named Cross Site Request Forgery (CSRF). Lets talk about what is this CSRF means? This is a kind of attack used by hackers to execute some action that wanted by hacker with the authorization of end user (legitimate user). To make it more clear, I will take some example.


This is the story. There are two characters named John and Robert. Both of people have a facebook account and John have some photos uploaded into his facebook account. But that photos can be viewed only by the friends of John. Robert is not a friend of John and so Robert cannot view them. However he needs to view that photos. One option he has is to be a facebook friend of John. But the problem is John does not want to be a facebook friend with Robert. What can robert do?

According to the above story, John is the legitimate user and Robert is the hacker. Robert can make a CSRF attack to force John to execute friend request. Basically, in any web based applications, actions will happen through some web requests (REST, SOAP). Lets assume this GET request https://facebook.com/friends/Robert will make a friend request to Robert. Robert can send this URL to John force him to execute it. That is a CSRF attack.

How Robert can achieve the the goal. One way is sending an email with HTML body that contains hidden img tag with src parameter as above URL.
<div style="display:none;">
    <img src="https://facebook.com/friends/Robert">
</div>

When body of the email page loads, img tag will try the execute URL the given in src parameter, it will automatically execute Robert's request. So John is making a facebook friend request to Robert even John does not know that he does.

How to prevent this type of attacks? There are 3 options we can use to prevent it.
  • Synchronizer patter.
  • Double submit cookie pattern.
  • Samesite flag for cookies.
This options should be implemented in application server logic. I will explain these things in later posts.

Thank you.

Please note that the URL I used above is not the real web request URL of the facebook.com. It is a simple example to make the concept of CSRF more clear.

Comments

Post a Comment

Popular posts from this blog

Introduction to docker!

Image
Well, Today I thought to bring you something different. Docker is the most popular platform in today to run applications easily. Docker helps us to deploy our applications more easily with less involvements of configurations. Main concept behind the docker is virtualization . Anyway, this is some kind of large topic and like you, I'm still learning these stuff. However I would like to share my experience on this technology with you. I hope this will help someone who willing to take the first step of the docker technology. Without further, let's dive into the docker sea !. So as I say, Lets start docker from basic. 😉 Why we need docker? The requirement of docker is started with the introduction of micro service architecture. According to the microservice architecture , we should split/divide our application into different individual services. So that, unlike 3 tier (monolithic) architecture, we have to deploy and run several services. Example system with microservic...
Read more

How to view queries executed in MySQL?

Hi all, This is a small post which I would like to share my finding with you. In one of my software project, There was a small peace of software which frequently dealing with database. (I got that clue from MySQL workbench dashboard) I was so curious about that because I wanted to know what does that do and what does it read/write from/to the database.  Finally I found a solution which helps me to find out that ! The solution was MySQL log. First you will have to enable the log. If you are using a version below 5.1.12, you will have to go to configuration level (my.cnf). But fortunately, If you are using MySQL >= 5.1.12 you can do that on the fly with MySQL global variables and does not need to restart the server as well. This is how I did (in MySQL >= 5.1.12), There are two options which can be done. Writing log to a table Writing log to a file. By default, MySQL logging is disabled, because of the performance reasons.  So we have to enable it first.   Writing log ...
Read more

Lets read emails in gmail using oAuth 2.0 (Application demo)

Image
Today I will create a oAuth application using java programming language. The application will access google's gmail api and read emails in user's gmail inbox. To access user's gmail account, application will use oAuth access token obtained by gmail authentication server. Don't worry. I will demonstrate each step by clearly. So lets start computing from basics! To use gmail api, we need to obtain app id and app secret from google api console. To do so, you will need a google account. If you are using a gmail account or any other google product (Ex. google drive, youtube), then you already have a google account. If you don't have a google account, you can create it from here. So then you will need to access into the google cloud api console. It has very clear and clean user interface. Google api console will provide various kinds of apis from each of google products. Since we are going to develop for Gmail, lets log into gmail api section. In google itself there are...
Read more