Kiiff Blog

Website Information, Tips, and Tricks!

Take Your Online Presence To The Next Level Learn More

What is a CSRF Token?

By

What is a CSRF Token?
Tweet
Share
Share

One of the best things about the internet is how flexible we can be when using it. We can browse the internet, check our mail, and watch videos almost simultaneously. We can also handle sensitive information at the same time as we do something… less serious. When a site is vulnerable to a certain kind of XSS or Cross Site Scripting known as Cross Site Request Forgery, things can get bad without us even knowing.

CSRF stands for Cross Site Request Forgery, and a CSRF token, or anti-CSRF token, is used to prevent these kinds of malicious attacks against a website’s users. To understand how a CSRF token works, we must understand this kind of XSS attack.

Background

According to OWASP, a CSRF attack is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

This means that an attacker will trick an unsuspecting user into making a request, GET or POST, to a site that they are already authenticated to in a browsing session. Then, the victim performs the request with what the attacker wants.

For Example

Say that when you transfer money between bank accounts on your bank’s website, the request looks like this:

http://mybank.com/transfer.do?acct=me&amount=100

The hacker sends this user a link, often through a malicious email, and entices a user to click on it:

http://mybank.com/transfer.do?acct=hacker&amount=100000

If you were authenticated to your bank website at the time of clicking this link, and there were no countermeasures in place like CSRF tokens, then clicking on that link could transfer money from your account to the threat actor because the bank’s website does not track the origin of the request. Pretty crazy?This example is oversimplified, but the main idea is the attack.

Enter CSRF Tokens

A CSRF token is usually a randomly generated token that is set up in parallel to the login session of the user. This way, the website always knows the origin of the request to be from that website’s user. No token = No request made.

Many modern JavaScript frameworks including Django and Angular support and even default use of a CSRF token. If your site handles sensitive data, especially if you have an eCommerce site, you need CSRF protection! As a user, make sure you log off of a web application when you finish using it.

This explanation of why we need CSRF tokens is just another example of how we protect ourselves and our customers. Keep up the good work!

Happy Hosting

Tweet
Share
Share

Sign up for our newsletter!