CSRF = Cross Site Request Forgery
Honestly, this reminds me of movies like Catch Me If You Can, The Italian Job. Something to do with some kind of unauthorised loot or operation.
And it is. Exactly that.
CSRF attack is one where an unauthorised site tries to forge a request on your site, using the auth cookie stored for your site in the browser.
How is it done?!
- Let’s say you are signed onto site X, meaning there is cookie stored for your user in browser for this site X.
- Somehow (through phishing attack etc.), you end up opening a site Y on your browser
- This site Y can host a form for you to submit, or an iframe within which a form can automatically be submitted, without your intent, its action pointing to a request made on the site X.
- While sending request to site X, browser innocently will pick up cookie stored for X and send it.
- Server side of X will never know the request was actually initiated from Y and not on X site, hence would authenticate the request just seeing the cookie.
- RED ALERT. RED ALERT. Site Y here has been able to do some operation at server end of X, its request pretending to be from X as if. If this operation was something like transferring money to someone, you would be devastated!
How is it prevented?!
- One way to prevent it is using some dynamic token (called CSRF token) which is sent with each request and is understood/ validated by the server as well. So when the request originated at Y goes, this would be missing.
- Another way is to use SameSite cookie. If your site’s cookie ensures this, browser will not send the cookie for requests originating from any other site than yours. Hence all requests from other site will be invalidated at server end.