What is CSRF and How to Stay Safe While Browsing

Sreedeep cvSreedeep cv
2 min read

Cross-Site Request Forgery (CSRF) is a web security vulnerability that tricks users into performing unintended actions on a website where they are authenticated. For instance, imagine you're logged into your online banking account, and in another browser tab, you visit a malicious website. That site can exploit CSRF to make requests to your bank, such as transferring funds, without your consent.

How CSRF Works

CSRF takes advantage of the fact that browsers automatically include cookies in requests to trusted websites. If a malicious website sends a GET or POST request to your bank's transfer funds endpoint while you’re logged in, your browser will include your session cookie with the request, making it look legitimate to the server.

Examples of GET and POST Requests in CSRF

GET /transfer?amount=500&to_account=12345 HTTP/1.1
Host: bank.com

This is a simple GET request to transfer funds. CSRF can exploit this if the server accepts state-changing actions via GET requests.

Trick1: If you use image tags , it can make API request through the src params can be used to sent a GET request.

POST /transfer HTTP/1.1
Host: bank.com
Content-Type: application/x-www-form-urlencoded

amount=500&to_account=12345

In a POST request, sensitive operations such as fund transfers are more common. Attackers can trick users into submitting forms on malicious sites that target these endpoints.

Trick2: Usually web has protection to block these request from unknown hosts using a OPTIONS intermediator. You can use the the x-www-form-urlencoded header to bypass without an options request.

No State-Altering Actions with GET

A critical security rule is that GET requests should never modify server state like change data, transfer funds, delete accounts etc. GET requests are intended for retrieving data, not making changes. If your server allows state-altering GET requests, it becomes significantly easier for attackers to exploit CSRF.

  1. Use CSRF Tokens: Websites should implement CSRF tokens—unique, unpredictable values included in forms or headers. The server validates these tokens to ensure requests are legitimate.

  2. Enforce Referer and Origin Checks: Servers can verify the Referer or Origin headers to ensure requests are coming from trusted sources.

  3. Avoid GET for State Changes: Always use POST or PUT for any request that modifies data or changes server state.

CSRF is a subtle yet serious threat, but simple precautions can make your browsing experience much safer. Developers and users both have roles to play—developers in implementing secure practices and users in maintaining cautious browsing habits. Remember, the web is only as safe as we make it.

If you are interested in more api security articles stay tuned. We are working on a product called LiveAPI super convenient API docs generator in scale. Please take a look and tryout.

20
Subscribe to my newsletter

Read articles from Sreedeep cv directly inside your inbox. Subscribe to the newsletter, and don't miss out.

APIsSecuritycsrf

Written by

Sreedeep cv
Sreedeep cv

Sreedeep is a developer, currently building LiveAPI, tool to create super-convenient API documentation for teams in scale. He is also into fields like cyber security and passionate to build awesome tools and projects.