The big lie of computer security is that security improves by imposing complex passwords on users. In real life, people write down anything they can't remember. Security is increased by designing for the way humans actually behave. -Jakob Nielsen
A CSRF attack is a form of attack in which commands are transmitted from a victim to another website without the users consent. CSRF attacks are usually invisible and rely on browser functionality (such as automatically loading images).
How is a CSRF Attack Carried Out?
CSRF attacks are embedded in an element browsers automatically react to (such as an image tag).
Lets assume that Joe has just registered with a brand new Electronic Money transfer site. When Joe wants to transfer money, he heads to www.example.com/transfer.php to send some money to his wife, Mary.
He fills out the forms for the amount of money he wants to transfer and who he wants to send the money to, and then clicks submit. The URL now looks like this:
The next day, Janice, Joes angry ex-wife, also registers with the site. She decides to send $5 to her boyfriend, named Sam. She heads to www.example.com/transfer.php, fills out the forms (quite angrily), and hits submit.
His browser then attempts to download the page and display it as an image. Because the link provided is not a valid image, the browser displays it as a broken image.
However, the server at example.com sees that Joe has visited the link, and transfers $5000 dollars to Janice.
All this happens invisibly and within seconds.
Dangers of CSRF
We now understand how a CSRF attack is performed. But, what can this attack do?
*Log a user in/out
*Register a user
*Log data of a user
*Send a message from the victim to someone else
The only requirement is that the server must not have a means of detecting if the user has authorized the action that a CSRF attack performs.
Prevention of CSRF Attacks
CSRF attacks can be prevented in a number of ways, but the best way to prevent them is a combination of many different methods.
CSRF attacks are much easier if an action can be performed with an HTTP GET request, but simply having only POST requests is not sufficient to prevent CSRF attacks.
One common method of preventing CSRF attacks is to have a hidden value randomly generated upon the users visit of the webpage. The advantage of this strategy is that the attacker can not predict what the token will be, and thus cannot conduct the attack. This would look something like