Cross-site request forgery (CSRF or XSRF) , also know as One Click Attack, is a web security vulnerability that allows an Attacker / Hacker to attack on web application & to induce authenticated users to perform actions that they do not intend to perform.
Cross Site Request Forgery = Cross Site + Request Forgery
Cross-Site Request Forgery Working Model
Attackers using multiple social engineering technique to attack by using CSRF or XSRF, This technique working as The victim into clicking a URL that having maliciously crafted or set of maliciously crafted , unauthorized request for a specific Web application, Then user’s browser sending this maliciously crafted or set of maliciously crafted request to a targeted Web application. The request also includes any credentials information to the particular website (user session or cookies). Id use as from of an active session with a targeted Web application, the application response this new request as an authorized request submitted by the authorized user.
Finally, The attacker successfully exploited the Web application infected with CSRF vulnerability.
There are multiple below cases, to attack CSRF
- Submitting or deleting a record Form
- Submitting a transaction Form
- Purchasing a product Form
- Changing a password Form
- Sending a message Form
- Contact Form
Application Prevent Against Cross-Site Request Forgery Attack
Preventing CSRF Attack, requires the inclusion of an unpredictable token in the body or URL of each HTTP request. Such tokens should at a minimum be unique per user session as well as be unique per request.
- Properly validate submission form before the relevant action is executed
- The preferred option is to include the unique token in a hidden field. The unique token can also be included in the URL itself, or a URL parameter.
- Check Referrer field of each request.
- Use Captcha on all critical page.
CSRF is a common form of attack and has ranked several times in the OWASP Top Ten (Open Web Application Security Project).
Magento 2 CSRF Token Settings Video
HTTP Security Headers Checker Tool
https://www.site2info.com/sitesecurity.php
All Website HTTP Security Headers
To Protect Website Against Vulnerability Attack, Hacker Attack, Virus Attack
Magento 2 All Database Tables [500 & more Tables]
HTTP Security Headers Checker Tool – Security Headers Response
How to add Feature-Policy Security Header
How to add X-Content-Type-Options Security Header
How to add Expect-CT Security Header
How to add X-Frame-Options Security Header
How to add X-XSS-Protection Security Header
How to add Referrer Policy Security Header
Referrer Policy Header Security
How to add HTTP Strict Transport Security (HSTS)
How To Set CSRF Token in Magento 2