Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Form without CSRF token: what are the risks

What exactly are the risks I'm exposing myself to if I don't use csrf tokens in my forms? I'm not looking for simple labels or names of the risks, because these can be confusing. I need to understand what exactly an attacker can do and only under what circumstances they can do this, in plain English.

like image 622
samquo Avatar asked Jan 19 '11 05:01

samquo


People also ask

Is CSRF token necessary?

Using a per-request csrf token (unique, random and unpredictable for each request) that be assign together with the session id in the cookie header is necessary for every GET request and both should be validate accordingly in the server side.

What does no CSRF token mean?

Invalid or missing CSRF token This error message means that your browser couldn't create a secure cookie, or couldn't access that cookie to authorize your login. This can be caused by ad- or script-blocking plugins, but also by the browser itself if it's not allowed to set cookies.

Why is CSRF important?

A CSRF vulnerability can give an attacker the ability to force an authenticated, logged-in user to perform an important action without their consent or knowledge. It is the digital equivalent to someone forging the signature of a victim on an important document.

What is the impact of a CSRF attack?

What is the impact of a CSRF attack? In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer.


2 Answers

A CSRF vulnerability is one which allows a malicious user (or website) to make an unsuspecting user perform an action on your site which they didn't want to happen.

Some real world examples would be things like if you allowed a user to delete an account over GET instead of POST, someone could post the following comment on your site (assuming the site has some way to post comments or other input, etc.)

I thought I'd make a comment on your site. Check out this cool image!
<img src='http://example.com/delete_my_account.php" />

And now any time a logged in user loads that page, their account would be deleted. If it was done over POST instead of GET, someone could craft a form and trick users into submitting it and the same result would happen. Whereas if you used a CSRF token, this wouldn't be possible.

Another example would be that an external site could craft a form which POSTs to your site, and perform an undesirable action. So let's say your site has a shopping cart which doesn't use CSRF tokens. A malicious site could create a form with a button that says "Click here to register", but actually orders 1000 of something from your site. If a logged in user from your site visits this malicious site and clicks the button, they'll get a nice surprise in the mail.

Obviously there are other cases, these are just a few examples. A Google search should show up plenty of articles and tutorials, many of which will probably have some other examples. The Wikipedia page also has some examples which you might find interesting.

The main idea of the examples is that someone can trick your site into performing an action as if it came from a user, when really the user wasn't aware it was happening or didn't want it to happen. If you have any sort of action on your site which is destructive (i.e. can delete things from a user account, logout a user, etc.) or critical (i.e. deals with money) you should probably use CSRF tokens. If your site is just a photo album for friends, etc. then you probably don't need to bother with CSRF tokens (although it's always good to practice for when you do build a site that needs them).

Unless you add a token to ensure that a request came from a form your site presented to the user intentionally, you don't really have a way of knowing if the user intended to perform the action.

So you always want to use a unique token on every form you generate that POSTs and validate any requests that are POSTed to your site have a valid token for the current user. Also make sure to expire the tokens after some amount of time so that they don't last forever.

like image 151
Rich Adams Avatar answered Oct 18 '22 03:10

Rich Adams


I would advise you to read this excellent article explaining what CSRF is and how you could best protect yourself against it.

like image 23
Alfred Avatar answered Oct 18 '22 01:10

Alfred