Cross-site Request Forgery
Overview
Cross-site Request Forgery (CSRF) is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. It is also known as a one-click attack or session riding and abbreviated as CSRF or XSRF. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Mechanism of Action
In a CSRF attack, the victim's browser is tricked into making a request to a site with which the victim is authenticated. This is done by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated. For instance, one user, Alice, might be browsing a chat forum where another user, Bob, has posted a message. Suppose that Bob has crafted an HTML image element that references a script on Alice's bank's website (instead of an image file), e.g., bank.example.com/withdraw?account=Alice&amount=1000000&for=Bob. If Alice's bank keeps her authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Alice's browser to load the image will submit the withdrawal form with her cookie, thus authorizing a transaction without Alice's approval.
Impact
The impact of a successful CSRF attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
Prevention
There are several ways to prevent CSRF attacks, including the use of the Synchronizer Token Pattern, checking the HTTP Referer header and requiring a secret, user-specific token in all form submissions. Web applications can also mitigate the risk of CSRF attacks by using same-site cookies, which are only sent to the site that set them and not to third-party sites.