What is CSRF and what are the risks?

BugHunt

4 min read
What is CSRF and what are the risks?

CSRF is an attack that exploits a system's trust in the user's browser, allowing malicious actions without their authorization.

How does it work?

You are logged into your bank account or a corporate system. In another tab, you click on a seemingly harmless link, sent via email or social media. In seconds, without you noticing, a financial transaction is made, your settings are changed, or a compromising message is posted on your behalf. All of this happens without requiring your password or any confirmation. This is the danger of Cross-Site Request Forgery (CSRF), one of the most stealthy and dangerous attacks on the web.

CSRF doesn't need to steal your credentials to cause damage. It takes advantage of the trust that the system has in your browser and exploits the way the web processes authenticated requests.

But how does it work? What are the real risks for users and businesses? And most importantly, how can you protect yourself from this silent attack? Find out in this article!

What is CSRF? Cross-Site Request Forgery (CSRF) is an attack that exploits the trust a web system has in the user's browser. In this attack, the attacker manipulates a web application to perform unwanted actions without the consent of the authenticated user. This happens because, when accessing a malicious website, the browser automatically sends requests to an online service where the user is already logged in, using their authentication cookies.

Unlike attacks like SQL Injection or Cross-Site Scripting (XSS), which aim to exploit vulnerabilities within the system itself, CSRF takes advantage of the default behavior of browsers, which automatically send session cookies in HTTP requests. This makes the attack difficult for the average user to detect and potentially devastating for web services.

What are the risks of CSRF? CSRF attacks can lead to various severe consequences for individuals and businesses. Some of the risks include:

  • Unauthorized financial transfers: an attacker can force a user to perform a bank transaction without their consent.
  • Credential changes: passwords, emails, or other account information can be altered without the user realizing.
  • Malicious posts and messages: CSRF attacks can be used to publish unwanted content on social media or send emails on the victim's behalf.
  • Compromising critical configurations: an attack can alter administrative parameters of a system, compromising its security and availability.
  • Exposure of sensitive data: an attacker can use a CSRF attack to exfiltrate confidential information from an authenticated user.

The success of a CSRF attack often depends on social engineering, a method where the attacker tricks the victim into clicking on a link or visiting a compromised page. This tactic highlights the importance of digital education and implementing additional layers of security.

How to protect against Cross-Site Request Forgery? Protecting against CSRF involves combining good development practices with security measures to prevent malicious actions from being executed without the user's consent. Here are some effective strategies:

  1. Use security tokens (Anti-CSRF tokens) Security tokens are unique codes generated by the system for each user's session. Whenever an important action is performed (such as changing settings or making payments), the system checks if the token sent with the request is valid. If a malicious site tries to forge an action, it won’t have the token, and the attempt will be blocked.
  2. Verify the origin of requests Browsers send information about the origin of a request (such as the Referer and Origin headers). Configuring the system to check if the request truly came from the correct site helps prevent CSRF attacks. If the origin is unknown, the action can be blocked.

Tip: Think of this like a restaurant that only accepts orders made directly at the counter. If someone tries to call in and order food in your name without being there, the order will not be accepted.

  1. Configure security headers on the server Web servers can be configured to accept only requests made in secure ways. Some practices include:
  • Ensuring the Content-Type header is correct (to avoid forged requests).
  • Using X-Requested-With to confirm the request came from within the application itself.
  1. Enable Multi-Factor Authentication (MFA) MFA adds extra layers of security, even when a CSRF attack tries to perform critical actions on an account. After an attempt to change something (like a transaction or password change), the user will be asked to confirm the action through an additional factor, such as a code sent via SMS or generated by an authenticator app. This ensures that even if an attacker executes a command, they cannot complete the action without the true account owner's authorization.
  2. Use captchas on sensitive actions Adding a captcha to forms that change important information makes CSRF attacks more difficult, as it requires a human to complete a verification before submitting the request.
  3. Restrict HTTP methods for sensitive actions Avoid allowing methods like GET to be used to modify critical data. Always use POST, PUT, or DELETE when a user is making changes to their account or performing transactions, as they offer better security.

Warning: Some pages allow parameters to be passed through the URL (example.com/changespassword?new=123). This makes CSRF attacks easier. Prefer forms protected by tokens and secure methods.

  1. Educate employees about suspicious links CSRF attacks often rely on social engineering, i.e., deceiving users into clicking on malicious links. Therefore, it is essential to reinforce good practices like:
    🔹 Never click on suspicious links sent by email or social media.
    🔹 Always verify you are on the official website before entering sensitive information.
    🔹 Use updated browsers and systems, which fix known vulnerabilities.

As mentioned, Cross-Site Request Forgery (CSRF) is a stealthy attack that can compromise accounts, change critical settings, and even make financial transactions without the victim's knowledge. To avoid these risks, in addition to good security practices, it's essential to constantly test the resilience of systems.

In this context, tools like Bug Bounty and Pentesting help with prevention. In Bug Bounty, experts identify vulnerabilities, such as CSRF token validation flaws, helping companies fix gaps before they are exploited. Pentesting simulates real attacks to check if the protections against CSRF are working correctly and if there are flaws that need to be addressed.

Therefore, in addition to protective measures, continuously testing security is key to preventing attacks and ensuring the integrity of systems and users.

Enjoyed this content from BugHunt? Explore more articles like this on our blog or follow us on social media to stay updated on the latest digital security topics.