1. Support Center
  2. Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) allows an attacker to carry out actions in a different security context such as another, logged in user. Read here, how you can efficiently fix a CSRF vulnerability.

Security Assessment

Security_Assessment_CSRF

CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Vulnerability Information

Cross-Site Request Forgery (CSRF) allows an attacker to carry out actions in a different security context such as another, logged in user. To achieve that, A Cross-site Request Forgery (CSRF) sends an HTTP request whenever a user opens a website containing malicious code. The code is embedded in such a way that no further actions by the user are required. This kind of attack is widely used in spam mails. By clicking on a malicious URL the attack starts without the knowledge of the user and forges the user’s actions. The HTTP requests sent without the user’s knowledge may access, modify or delete sensitive data. 

Guides

To prevent CSRF injection attacks make sure that an attacker cannot craft an arbitrary request that is run in the security context of any other user and sent from a different website:

The most common mitigation for CSRF attacks is the use of a CSRF-Token. When a form contains a hidden field with a specially crafted value (a CSRF-Token) that the backend checks for when receiving the form data, it can prevent CSRF attacks. Any request that does not originate from the original form will not include the correct value for the CSRF-Token and can be easily discarded. The CSRF-Token must be tied to a single user session and may not be reused in different sessions or even for different users.

When using modern frameworks, these tokens can be easily added to forms and will be validated by the corresponding middleware. For single page applications, the CSRF-Token may be provided by a meta tag which is then read from the JavaScript in the browser and amended to every request.

Laravel

To protect forms in Laravel, just include the following code within the <form></form>tags.


For JavaScript requests, the file resources/assets/js/bootstrap.js automatically configures the csrf-token meta tag which will be used by the Axios HTTP library. If you are not using this library check the Laravel documentation for more information.

Django

With Django, it is similarly easy to protect any form by a CSRF-Token by using the snippet within the <form></form> tags.


To provide the token for the use with JavaScript requests, retrieve it from its storage cookie and add it to the request.

var csrftoken = Cookies.get('csrftoken');
...
xhr.setRequestHeader("X-CSRFToken", csrftoken);

Please refer to the Django documentation for more detailed examples.

For using CSRF-Tokens with your preferred framework, please check the appropriate documentation.

For more information about Crashtest Security visit crashtest-security.com