What is CSRF and CSRF Token

Posted on by John

Cross-site request forgery (CSRF or XSRF) , also know as One Click Attack, is a web security vulnerability that allows an Attacker / Hacker to attack on web application & to induce authenticated users to perform actions that they do not intend to perform. 

Cross Site Request Forgery = Cross Site + Request Forgery

Cross-Site Request Forgery Working Model

Attackers using multiple social engineering technique to attack by using CSRF or XSRF, This technique working as The victim into clicking a URL that having maliciously crafted or set of maliciously crafted , unauthorized request for a specific Web application, Then user’s browser sending this maliciously crafted or set of maliciously crafted request to a targeted Web application. The request also includes any credentials information to the particular website (user session or cookies). Id use as from of an active session with a targeted Web application, the application response this new request as an authorized request submitted by the authorized user.
Finally, The attacker successfully exploited the Web application infected with CSRF vulnerability.

There are multiple below cases, to attack CSRF

  • Submitting or deleting a record Form
  • Submitting a transaction Form
  • Purchasing a product Form
  • Changing a password Form
  • Sending a message Form
  • Contact Form

Application Prevent Against Cross-Site Request Forgery Attack

Preventing CSRF Attack, requires the inclusion of an unpredictable token in the body or URL of each HTTP request. Such tokens should at a minimum be unique per user session as well as be unique per request.

  • Properly validate submission form before the relevant action is executed
  • The preferred option is to include the unique token in a hidden field. The unique token can also be included in the URL itself, or a URL parameter.
  • Check Referrer field of each request.
  • Use Captcha on all critical page.

CSRF is a common form of attack and has ranked several times in the OWASP Top Ten (Open Web Application Security Project).

Magento 2 CSRF Token Settings Video

HTTP Security Headers Checker Tool

https://www.site2info.com/sitesecurity.php

All Website HTTP Security Headers
To Protect Website Against Vulnerability Attack, Hacker Attack, Virus Attack

Magento 2 All Database Tables [500 & more Tables]


HTTP Security Headers Checker Tool – Security Headers Response


How to add Feature-Policy Security Header


How to add X-Content-Type-Options Security Header


How to add Expect-CT Security Header


How to add X-Frame-Options Security Header


How to add X-XSS-Protection Security Header


How to add Referrer Policy Security Header


Referrer Policy Header Security


Magento 2 Admin Security


How to add HTTP Strict Transport Security (HSTS)


How To Set CSRF Token in Magento 2


What is CSRF and CSRF Token

Leave a Reply

Your email address will not be published. Required fields are marked *