Cross-Site Request Forgery (CSRF)

introduction

HTTP is stateless protocol so the browser save the state and send it to the server in the requests example auth token saved in the cookies.

How browser handel cookies?

1. backend tell the browser to save this in the cookies.
2. the browser store the data in the cookies.
3. when the user request the site the browser find the cookies related to this site and send the cookies with the request.
   example request to facebook.com

//COOKIES STORE
{
    "facebook.com" : {token:"test" , id:"57741"},
    "todo.com" : [
        {id: 1 , task:"test"},
        {id: 2 , task:"test"},
        {id: 3 , task:"test"},
    ],
    "google.com":"lorem lorem lorem lorem"
}

when the browser sees that the request is for facebook it will send

"facebook.com" : {token:"test" , id:"57741"},

in the request as a cookie.
NOTE: new browser does not check if the user triggers the HTTP request or not.

CSRF

force victim to perform security-sensitive actions on the vulnerable site.

How CSRF Work?

1. victim login to the vulnerable site suppose it is 'facebook.com'
2. 'facebook.com' tells the user browser to save the token in the cookies so when the user comes back the server will recognize the use.
   THE ATTACK ⬇
3. the attacker sends the malicious site to the user that contains resource with href to the operation on the vulnerable site

<img src='facebook.com/posts?text="new post"' />

4. victim open the malicious site.
5. when the browser faces the img tag it will send a request to the src ‘facebook.com/posts?text=“new post”’ and send the Facebook cookies with the request included auth token.
   The Facebook server will execute the request as a valid request.

needed things for CSRF attack.

• relevant action: There is an action within the application that the attacker has a reason to induce.
• Cookie-based session handling: vulnerable site save data in cookies.
• No unpredictable request parameters: The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess, example (old password).

GET AND POST CSRF EXAMPLES

GET

<img src='facebook.com/posts?text="new post"' />

POST

<form action="https://vulnerablewebsite.com/email/change"
     method="POST">
    <input type="hidden" name="email" value="email@em.com" />
</form>

<script>
document.forms[0].submit();
</script>

CSRF Defense

anti-token:

a unique value that is generated by a website and included in form submissions or other actions that the website presents to the user.

how anti-token works?

1. server generates a token and stores it.
2. the server sends the request HTML page and includes hidden input in the form with a value equal to the previously generated token.
3. the user submits the form, and the sent request contains the anti-csrf token.
4. the server compares the received token with the saved token if the value is equal the request is considered a valid request if not the request is invalid.

how this can save us from CSRF attacks?

the attackers can not guess the generated CSRF tokens so all cross-site requests will be considered invalid requests.

same-site flag:

flag used when you set the cookie that tells the browser to not send this cookie when the request comes from a domain not equal to our domain.

example: suppose that google use sam-esite flag

Current site domain is "hackmd.com"
And the site request "google.com/docs/clear"
the browser will not send the cookies with the request to google.com because it's not the same site.

Current site domain is "google.com"
And the site request "google.com/docs/clear"

the browser will send the cookies with the request to google.com because it's the same site.

How to setcookie in php

$name = "MyCookie";
$value = "Some value";
$options = [
    samesite => 'Strict', // or 'Lax'
];
setcookie($name, $value, $options);

samesite can be Strict only from our domain, Lax from our domain and sub-domains ,Or without value all cross-sites request.