Cross-Site Request Forgery (CSRF) attacks typically target web applications. CSRF attacks can include unauthorized changes of user information or extraction of user sensitive data from a web application.
CSRF exploits utilize social engineering to convince a user to open a link that, when processed by the affected web application, could result in arbitrary code execution. CSRF exploit code can be stored in a web location (for example, a stored CSRF) in a one-pixel iframe/image or can be a component of a CSRF exploit. When processed, the CSRF link could allow the attacker to submit arbitrary requests via the affected web application with the privileges of the user. The origins of CSRF attacks are difficult to identify utilizing traceback methods. Social engineering methods can conceal the attacker's identity because the server is treating the request as a legitimate request from the user.
Examples of CSRF attacks are numerous but the most common involves a bank account transfer. For example, assume the human resources department of company X is leveraging a web portal that updates the salary information of the company’s employees. To execute that process, the human resources department needs to complete the following: authenticate to the web application, proceed to the raise salary area of the portal, and complete a form with the name of the employee and the amount of the raise. Once the preceding steps are completed, the user is required to press the submit button to process the form and complete the change. Assume the submitted form was for an employee named John Doe who was given a raise of US$100 dollars, this will generate the following HTTP POST request:
POST http://hr.companyX-internal.com/raisesalary.do HTTP/1.1
Depending on the application, a case could exist where the browser already has a valid authenticated session (browser cookie). If the human resources web application has a valid authentication session, then same action (for example, salary raise) will be executed with the following HTTP GET request:
GET http://hr.companyX-internal.com/raisesalary.do?usr=JohnDoe&amount=100 HTTP/1.1
The above request can be made by visiting a link and executing an HTTP GET request. The browser does not require a form submission.
The human resources web application, described in the above example, is susceptible to CSRF attacks. A user (for example, John Doe) could attempt to increase his salary by US$500 dollars without having access to the application, but could convince an employee in the human resources department to open a link or load an HTTP iframe that is redirected to a malicious link (for example, http://hr.companyX-internal.com/raisesalary.do?usr=JohnDoe&amount=500). Once the employee has been authenticated by the human resources application (for example, mid-day), the only requirement is to persuade the human resources employee to visit the link.