Pages

Search This Blog

Monday, January 2, 2017

CSRF ATTACK

CSRF ATTACK :

Csrf stands for cross site request forgery. In this attack a hacker sends a request to website from untrusted source and hence request is processed by web server. This may result in unexpected behaviour of application like incorrect information store in database, invalid financial transactions etc. The below picture demonstrate behaviour of csrf attack.



In above picture an attacker prepares a web page so that user click on button to get his win amount. After this he asks users information like email password etc.  If user enters his information thinking that he is entering in genuine site, And hence results in information stealing.

Prevention:

To prevent csrf attack web page sends an anti forgery token with request and this token later matches with in controller's action method. If token does not match, request will not process by web server. Below picture illustrates implementation of anti forgery token to prevent csrf attack.



In web page we need to send an antiforgery token. And this token matches with controller action method.

How attack takes place if anti forgery not implemented:

Here is the general gist: You are logged in to your bank's website. Your bank puts a cookie on your machine so it can authenticate you. Every time you make a request to (ie. load a page from) yourbank.com, the browser sends the cookie to the web server and the code on the web server checks the cookie to make sure you're authenticated. Great.
However, while the cookie hasn't yet expired, you check your mail and open an email from a Nigerian Prince telling you to click on a link. You click on it (who can resist) and instead of taking you to the page the Prince has described, the link takes you to this URL:
Because you're already authenticated at your bank (through the cookie), it thinks you're actually asking to transfer the money, so it does it.
This is obviously a bit of a contrived example, but it gets the point across. More realistically, the link might submit a request that changes your email address on a forum website that you belong to or something, so that they can get access to it.