Understanding CSRF Attacks: How They Work and How to Prevent Them

What is CSRF Attack?

Cross‑Site Request Forgery (CSRF) allows an attacker to forge a request and submit it as an authenticated user to a web application, exploiting the fact that HTML elements send credentials such as cookies, even across domains.

Like XSS, a CSRF attack requires the victim to click or navigate to a malicious link, but unlike XSS the attacker cannot execute code in the victim’s origin; nevertheless CSRF can be as dangerous as XSS.

Background of CSRF

Web started as a static document platform, later added interactivity with POST verbs and the <form> element, and introduced cookies for state storage.

CSRF exploits three web properties: cookies store credentials, HTML elements can issue cross‑origin requests, and browsers automatically attach cookies to all requests.

The attacker creates a malicious website containing HTML elements that submit requests to the victim’s site; when the victim visits the malicious site, the browser attaches the victim’s cookies, making the request appear legitimate.

How Does It Work?

It is effective only when the potential victim is authenticated.

The attacker can bypass authentication and gain access to the target site.

CSRF is used when a privileged victim performs actions that others cannot, e.g., online banking.

CSRF Attack Execution Steps

Step 1 : Lure the user/victim to click a link or load a malicious page, often via social engineering.

Step 2 : Send a forged request from the victim’s browser to the target site, making it appear legitimate and including the victim’s cookies.

Key Concepts of CSRF

The attacker sends a malicious request to a site where the victim is already authenticated.

The victim’s browser includes authentication credentials (cookies) when routing the request.

The vulnerable site, not the victim’s browser, is the primary target.

How to Prevent CSRF

Common prevention methods include:

Log out of web applications when not in use.

Protect usernames and passwords.

Avoid saving passwords in the browser.

Do not browse while logged in to sensitive applications.

Anti‑CSRF Token

The most common implementation uses a token tied to the user, placed in a hidden form field and also sent as a cookie.

1. CSRF Token

Workflow:

Client requests an HTML page with a form.

Server responds with two tokens: one set as a cookie, the other stored in a hidden form field; both are randomly generated.

When the form is submitted, the client sends both tokens back to the server.

If a request lacks either token, the server rejects it.

2. SameSite Cookie

Some cookies are associated with a specific site; they are sent only with requests to that site, preventing third‑party use and mitigating CSRF.

3. SameSite Cookie Attribute

Setting the SameSite attribute disables third‑party usage of the cookie.

The server sets this attribute when issuing the cookie; the browser sends the cookie only on direct navigation.

If a request originates from another site, the cookie is not sent, helping prevent CSRF.

Note: Modern browsers support SameSite, but older browsers may not.

CSRF Example

<class=”word”>下面<class=”word”>我们有<class=”word”>解释<class=”word”>一些<class=”word”>例子<class=”word”>CSRF ：

1. Using GET requests

Assume a site banking.com performs actions via GET requests. An attacker can embed a malicious URL in an <img> tag to cause the browser to silently load the URL.

Example of an HTML image element with a malicious URL:

<img src="http://banking.com/app/transferFunds?amount=2500&destination=56789">

2. Alternative techniques

Send an email containing HTML content.

Inject script or malicious URL into a page.

3. Using POST requests

There is a common misconception that allowing HTTP POST prevents CSRF; attackers can create an HTML form with auto‑submit to send POST requests without user interaction.

Conclusion

Cookies are automatically sent with requests, making them easy targets for CSRF attacks; the impact depends on the victim’s privileges. Although data retrieval is not the primary goal, state‑changing actions can have serious consequences, so implementing preventive measures is strongly recommended.