Cross-Site Request Forgery (CSRF) is an attack that forces a user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target credentials-changing request since the attacker has no way to see the response to the forged request. With a little help of social engineering, an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative user, CSRF can compromise the entire web application.
Several things have to happen for cross-site request forgery to succeed:
1) The attacker must target either a site that doesn’t check the referrer header or a victim with a browser or plugin that allows referrer spoofing.
2) The attacker must find a form submission at the target site, or a URL that has side effects, that does something like credentials changes and transfer money.
3) The attacker must determine the right values for all the forms or URL inputs; if any of them are required to be secret authentication values or IDs that the attacker can’t guess, the attack will most likely fail.
4) The attacker must pull the victim to a web page with malicious code while the victim is logged into the target site.
Cross-site request forgery is a serious attack that may affect any web application. CSRF normally conducted using malicious social engineering via email or link that forces the victim to send a forged request. To avoid CSRF it is necessary to block malicious traffic. Among the most common mitigation methods is to generate unique random tokens for every session request or ID. These are subsequently checked and verified by the server. Session requests having either duplicate tokens or missing values are blocked. Alternatively, a request that doesn’t match its session ID token is prevented from reaching an application.