What Is Csrf Validation? [Solved]

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing 🤓 If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth 🤓 If the victim is an administrative account, CSRF can compromise the entire web application 🙈 [1]
The previous solution is based on keeping the value of the matching CSRF token on the server side. If you don’t want to maintain a copy of the token on the server for any reason, you can apply the double submit cookie strategy. With this variant, the server stores the matching token’s value in a cookie instead of keeping it in the server session. It sends the CSRF token’s value to the browser in the hidden field and in the cookie. When the server receives a request, it just needs to check if the cookie’s value and the hidden field value match. (we really appreciate Loreena Worley from Samara, Russia for the heads up). [2]
Image #2
According to Stella M. At cheatsheetseries.owasp.org, cSRF tokens should be generated on the server-side. They can be generated once per user session or for each request. Per-request tokens are more secure than per-session tokens as the time range for an attacker to exploit the stolen tokens is minimal. However, this may result in usability concerns. For example, the “Back” button browser capability is often hindered as the previous page may contain a token that is no longer valid. Interaction with this previous page will result in a CSRF false positive security event at the server. In per-session token implementation after initial generation of token, the value is stored in the session and is used for each subsequent request until the session expires. [3]
Image #3
An outstanding report from netsparker.com indicates that when you are browsing a website, it is common for that website to request data from another website on your behalf. For example, in most cases, a video that is shown on a website is not typically stored on the website itself. The video appears to be on the website but is actually being embedded from a video streaming site such as YouTube. That’s the idea behind Content Delivery Networks (CDNs), which are used to deliver content faster. Many websites store scripts, images, and other bandwidth-hungry resources on CDNs, so during browsing, images and script files are downloaded from a CDN source rather than the website itself. (we truly appreciate Kashana Cuellar from Abeokuta, Nigeria for their advice). [4]

Article References

  1. https://owasp.org/www-community/attacks/csrf
  2. https://auth0.com/blog/cross-site-request-forgery-csrf/
  3. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  4. https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/
Kelly-Anne Kidston

Written by Kelly-Anne Kidston

I am a writer of many words, from fiction to poetry to reviews. I am an avid reader and a lover of good books. I am currently writing my first novel and would love to find some beta readers who are interested in getting an early look.

Will Drinking Only Water Help You Lose Weight? [SOLVED!]

What Curling Iron Is Best For Loose Curls? [Solved]