4 Cross-site request forgery

 

This chapter covers

  • Learning how cross-site request forgery (CSRF) works
  • Looking at consequences CSRF may bring
  • Preventing CSRF
  • Protecting cookies to prevent CSRF
  • Clickjacking and how it’s related to CSRF

In 2005, security researcher Samy Kamkar found a security vulnerability in the then-popular social network Myspace (if you’ve been around long enough, you might remember that service). He managed to inject JavaScript code into his profile page, a classical cross-site scripting (XSS) attack (explained in chapter 2). The JavaScript code, however, did something really interesting: when executed, it issued an HTTP request on the victim’s behalf, adding them to Kamkar’s friends list. This started a chain reaction, and less than 20 hours later, Kamkar had over one million friends on Myspace.

NOTE

Kamkar himself provided a detailed reconstruction of the events at https://samy.pl/myspace/, and a thorough technical description of the attack at https://samy.pl/myspace/tech.html. However, I recommend that you read this chapter first so that you know all the required technical details about these kinds of attacks.

4.1 Anatomy of a cross-site request forgery attack

4.2 Cross-site request forgery countermeasures

4.2.1 Making the HTTP request unpredictable

4.2.2 Securing the session cookie

4.3 Clickjacking

4.4 Cross-origin resource sharing

Summary