16 June, 2014 · 2 minutes to read
Overlooking the risk of Cross-site Request Forgery (CSRF) exploits can leave your organisation's website or application vulnerable to attack. In this first in a series of security blogs we look at the steps developers can take to reduce the risk.
A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is an administrator account, a CSRF attack can compromise the entire web application.
Cross-site request forgery (CSRF) is a type of security exploit where unauthorized commands are transmitted from a user a website trusts, without the user’s knowledge. Because the command is carried out from the user’s computer attacks often go un-reported, as such there is rarely any evidence of the attack recorded in web server logs.
The exploit works by including a link or script in a page that accesses a site to which the user is known to have already been authenticated. These malicious links or scripts are typically injected into a page by an attacker via Cross-Site Scripting i.e. where an attacker submits an un-validated comment on a blog post. This is then displayed on a page tricking the user’s web browser into accessing the link.
Look at this image - spot what's going on here?<img src=”http://usersbank.com/transfer-money?to=attacker” />
This is a very simple example - you'd hope that your online bank wouldn’t action money transfers with a simple querystring parameter but it does show that if the user is logged into userbank.com then an exploit can happen.
There are various countermeasures to a CSRF exploit including:
If you have an off the shelf package or use a well-known and well-documented open source platform then you are probably ok. However even these systems, along with bespoke solutions should still be tested for CSRF exploits.
All Magnifica solutions take the steps outlined above. If you have any concerns about a system your organisation uses we can carry out a technical review on any 3rd party solution - you'll receive a report that outlines risks such as CSRF exploits.