Cross Site Request Forgery (CSRF)

When we using computers, it would be better if we know about security risks also. Therefore today I will consider about computer security problem. I'm writing this post to talk about a common type of cyber attack which named Cross Site Request Forgery (CSRF). Lets talk about what is this CSRF means? This is a kind of attack used by hackers to execute some action that wanted by hacker with the authorization of end user (legitimate user). To make it more clear, I will take some example.


This is the story. There are two characters named John and Robert. Both of people have a facebook account and John have some photos uploaded into his facebook account. But that photos can be viewed only by the friends of John. Robert is not a friend of John and so Robert cannot view them. However he needs to view that photos. One option he has is to be a facebook friend of John. But the problem is John does not want to be a facebook friend with Robert. What can robert do?

According to the above story, John is the legitimate user and Robert is the hacker. Robert can make a CSRF attack to force John to execute friend request. Basically, in any web based applications, actions will happen through some web requests (REST, SOAP). Lets assume this GET request https://facebook.com/friends/Robert will make a friend request to Robert. Robert can send this URL to John force him to execute it. That is a CSRF attack.

How Robert can achieve the the goal. One way is sending an email with HTML body that contains hidden img tag with src parameter as above URL.
<div style="display:none;">
    <img src="https://facebook.com/friends/Robert">
</div>

When body of the email page loads, img tag will try the execute URL the given in src parameter, it will automatically execute Robert's request. So John is making a facebook friend request to Robert even John does not know that he does.

How to prevent this type of attacks? There are 3 options we can use to prevent it.
  • Synchronizer patter.
  • Double submit cookie pattern.
  • Samesite flag for cookies.
This options should be implemented in application server logic. I will explain these things in later posts.

Thank you.

Please note that the URL I used above is not the real web request URL of the facebook.com. It is a simple example to make the concept of CSRF more clear.

Comments

Post a Comment

Popular posts from this blog

CSRF Defence - Synchronizer Token Pattern Demo

Image
I have wrote some theoretical background of CSRF and CSRF prevention mechanisms in previous posts. If you don't have much idea about what CSRF and how prevention mechanisms works, please go back and read them first. These are the links for them. Cross Site Request Forgery (CSRF) CSRF Defence - Synchronizer Token Pattern From here onword, I assume you have the basic idea of concept of CSRF attack and prevention mechanisms. So, lets get started. This post is fully practical based one. At them end of this, There will be fully functioning web based application to demonstrate how CSRF attack works and how to prevent it using synchronizer token pattern. So, in order to follow this, you will need to setup your development environment first. These are the technologies I used to develop this demonstration application. Technologies Java 8 Spring Boot Framework Spring Security Maven Bootstrap 4 (Optional, Just for enhance the look and feel) Integrated Development Environmen
Read more

Lets read emails in gmail using oAuth 2.0 (Application demo)

Image
Today I will create a oAuth application using java programming language. The application will access google's gmail api and read emails in user's gmail inbox. To access user's gmail account, application will use oAuth access token obtained by gmail authentication server. Don't worry. I will demonstrate each step by clearly. So lets start computing from basics! To use gmail api, we need to obtain app id and app secret from google api console. To do so, you will need a google account. If you are using a gmail account or any other google product (Ex. google drive, youtube), then you already have a google account. If you don't have a google account, you can create it from here. So then you will need to access into the google cloud api console. It has very clear and clean user interface. Google api console will provide various kinds of apis from each of google products. Since we are going to develop for Gmail, lets log into gmail api section. In google itself there are
Read more

How to view queries executed in MySQL?

Hi all, This is a small post which I would like to share my finding with you. In one of my software project, There was a small peace of software which frequently dealing with database. (I got that clue from MySQL workbench dashboard) I was so curious about that because I wanted to know what does that do and what does it read/write from/to the database.  Finally I found a solution which helps me to find out that ! The solution was MySQL log. First you will have to enable the log. If you are using a version below 5.1.12, you will have to go to configuration level (my.cnf). But fortunately, If you are using MySQL >= 5.1.12 you can do that on the fly with MySQL global variables and does not need to restart the server as well. This is how I did (in MySQL >= 5.1.12), There are two options which can be done. Writing log to a table Writing log to a file. By default, MySQL logging is disabled, because of the performance reasons.  So we have to enable it first.   Writing log to a table Exe
Read more