Understanding Cross-Site Request Forgery (CSRF)

The security of an application for its users should be the first consideration developers should think about in building an application, whether its Ajax based or not. By ensuring security, users will tend to use your application more because they know their sensitive information will be protected.

But sometimes new technologies and revamped types of attacks continuously expose the vulnerability of an application.

As soon as developers find out a technique that will improve the security of their application, a specific counterpart to attack the security measure is also under development. In an instant – the user, the website owner and everything that has an indirect or direct connection for the website could be affected.

CSRF or Cross-Site Request Forgery

Before going further with what CSRF is, let us take a look first what CSRF is not to better understand the type of attack. CSRF is never the same to Cross Site Scripting or better known as XSS. This type of attack originates from the website wherein a script is slowly loaded into the user’s computer.

This is often based on Ajax based application wherein the JavaScript is loaded into the user’s computer and starts to crawl and destroy the certain applications or steal sensitive information.

CSRF on the other hand, does not originate from the website but from the users. A script could be easily injected to a website without the knowledge of the website owner. This type of attack does not even have to be used with JavaScript although it could still be done with this programming language.

A simple “img” script could be used as a gateway for an attack. As soon as another user loads the image file in his or her device, the script will automatically execute tasks it was made of – one of the common types of attacks of CSRF is to steal information from the cookies of users.

Intensified in Ajax Based Applications

The problem with CSRF was highlighted in Ajax based applications simply because security measures observed by most developers of Ajax are firmly rooted on JavaScript. They have to focus on JavaScript since an attack on XHR or other functions used in JavaScript is possible.

But CSRF attack is not only based on JavaScript. As already indicated, CSRF could come with the image file. It looks very innocent but could trigger a lot of problems for any user. That is why it is also called one-click attack since all it needs is one click to unleash the destructive script for the user.

Prevention

The simplest way of preventing this type of attack on Ajax based applications is to change GET with POST commands. POST will essential extract the data without fully implementing it with the system.

However this only solves half of the problem since POST will just address certain parameters. In this account, a “double cookie” method could be implemented. Instead of releasing data on a single cookie another cookie should be required for authentication.

HTTP Authentication and Referrer Request could also be a viable tool to protect the users against this type of attack as it compares the provided images and data with accepted cookies that were previously used by other users.