T 5.171 Cross-Site Request Forgery (CSRF, XSRF, Session Riding)

If writing activities of a web application can be used without any further review of the authenticity of the HTTP request (e.g. with the help of tokens in hidden form fields), an attacker may provide the user with a prepared link for executing a command.

For example, the link can be transmitted to a user with the help of social engineering methods (e.g. as a link in an email) containing the execution request. If the user is logged in to a web application with a current session and if the user follows the prepared link, the web application executes the transmitted command. Here, the web application interprets the HTTP request as an activity deliberately performed by the user. At the same time, such a link may contain privileged commands such as the modification of access data or the creation of a new user. The user may not even notice this process and the user only sees a message regarding the successfully executed activity on the display.

As opposed to XSS (see T 5.170 Cross-Site Scripting (XSS)), the objective of the attack is not to execute script code, but unauthorised, writing activities in the context of the logged in user.

Using a combination of CSRF and XSS, it is possible to control the client unobtrusively by executing scripts so that no interaction of the user is required. Commands within the script may cause automated forwarding to a prepared link, for example.

Example:

• While a user is logged in to the administration interface of a router, the user uses the same browser to simultaneously surf the internet. A prepared link on a website provides the router with a request for changing the access password. Here, the browser automatically also delivers the session cookie the web application uses to verify the authenticity of the request and to perform the change. Since the user is logged into a valid session in the administration interface, the command is executed and the access password is changed to a password the user does not know.