Page tree
Skip to end of metadata
Go to start of metadata

Security Assessment

Risk Probability Impact
4.3 2.8 1.4
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Vulnerability Information

Cross-Site Request Forgery (CSRF) allows an attacker to carry out actions in a different security context such as another, logged in user. To achieve that, A Cross-site Request Forgery (CSRF) sends an HTTP request whenever a user opens a website containing malicious code. The code is embedded in such a way that no further actions by the user are required. This kind of attack is widely used in spam mails. By clicking on a malicious URL the attack starts without the knowledge of the user and forges the user’s actions. The HTTP requests sent without the user’s knowledge may access, modify or delete sensitive data. 

Table of Contents

Further Reading

Guides

To prevent CSRF injection attacks make sure that an attacker cannot craft an arbitrary request that is run in the security context of any other user and sent from a different website:



The most common mitigation for CSRF attacks is the use of a CSRF-Token. When a form contains a hidden field with a specially crafted value (a CSRF-Token) that the backend checks for when receiving the form data, it can prevent CSRF attacks. Any request that does not originate from the original form will not include the correct value for the CSRF-Token and can be easily discarded. The CSRF-Token must be tied to a single user session and may not be reused in different sessions or even for different users.

When using modern frameworks, these tokens can be easily added to forms and will be validated by the corresponding middleware. For single page applications, the CSRF-Token may be provided by a meta tag which is then read from the JavaScript in the browser and amended to every request.


Laravel

To protect forms in Laravel, just include the following code within the <form></form> tags.

{{ csrf_field() }}


For JavaScript requests, the file resources/assets/js/bootstrap.js automatically configures the csrf-token meta tag which will be used by the Axios HTTP library. If you are not using this library check the Laravel documentation for more information.


Django

With Django, it is similarly easy to protect any form by a CSRF-Token by using the snippet within the <form></form> tags.

{% csrf_token %}

To provide the token for the use with JavaScript requests, retrieve it from its storage cookie and add it to the request.

var csrftoken = Cookies.get('csrftoken');
...
xhr.setRequestHeader("X-CSRFToken", csrftoken);

Please refer to the Django documentation for more detailed examples.


For using CSRF-Tokens with your preferred framework, please check the appropriate documentation.

Contribute

You are facing an issue that is not covered in our guides, we are happy to include solutions here. Please send us an e-mail to support@crashtest-security.com.

Crashtest Security

Crashtest Security is a Munich, Germany based start-up that redefines web application vulnerability scans.  The Crashtest Security Suite is differentiating itself as a fully automated vulnerability scanner enhanced with artificial intelligence developed for the needs of the agile developer or SecDevOps. Clear vulnerability insights are provided as well as contextual actionable insights for risk mitigation. 



For more information visit https://crashtest-security.com

  • No labels