This chapter examines another large family of attacks, cross-site request forgery (CSRF). A CSRF attack aims to trick the victim into sending a forged request to a vulnerable website. CSRF resistance boils down to whether or not a system can distinguish a forged request from a user’s intentional requests. Secure systems do this via request headers, response headers, cookies, and state management conventions; defense in depth is not optional.
Suppose Alice deploys admin.alice.com, the administrative counterpart of her online bank. Like other administrative systems, admin.alice.com lets administrators such as Alice manage the group memberships of other users. For example, Alice can add someone to a group by submitting their username and the group name to /group-membership/.
One day, Alice receives a text message from Mallory, a malicious bank employee. The text message contains a link to one of Mallory’s predatory websites, win-iphone.mallory.com. Alice takes the bait. She navigates to Mallory’s site, where the following HTML page is rendered by her browser. Unbeknownst to Alice, this page contains a form with two hidden input fields. Mallory has prefilled these fields with her username and the name of a privileged group.