One of the best things about the internet is how flexible we can be when using it. We can browse the internet, check our mail, and watch videos almost simultaneously. We can also handle sensitive information at the same time as we do something… less serious. When a site is vulnerable to a certain kind of XSS or Cross Site Scripting known as Cross Site Request Forgery, things can get bad without us even knowing.
CSRF stands for Cross Site Request Forgery, and a CSRF token, or anti-CSRF token, is used to prevent these kinds of malicious attacks against a website’s users. To understand how a CSRF token works, we must understand this kind of XSS attack.
According to OWASP, a CSRF attack is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
This means that an attacker will trick an unsuspecting user into making a request, GET or POST, to a site that they are already authenticated to in a browsing session. Then, the victim performs the request with what the attacker wants.
Say that when you transfer money between bank accounts on your bank’s website, the request looks like this:
The hacker sends this user a link, often through a malicious email, and entices a user to click on it:
If you were authenticated to your bank website at the time of clicking this link, and there were no countermeasures in place like CSRF tokens, then clicking on that link could transfer money from your account to the threat actor because the bank’s website does not track the origin of the request. Pretty crazy?This example is oversimplified, but the main idea is the attack.
Enter CSRF Tokens
A CSRF token is usually a randomly generated token that is set up in parallel to the login session of the user. This way, the website always knows the origin of the request to be from that website’s user. No token = No request made.
This explanation of why we need CSRF tokens is just another example of how we protect ourselves and our customers. Keep up the good work!