Spring Boot HandBook

    Cross-Site Request Forgery (CSRF)

    Introduction :#

    A CSRF attack is a scam where an attacker traps your browser into performing unwanted actions on a website where you're already logged in. This happens because the website trusts requests from the user's browser, so it accepts actions from anyone who can get the user to make a request, whether it's the user themselves or an attacker pretending to be them. Here’s why CSRF attacks are possible:

    Session Trust:

    Web applications use cookies or session tokens to remember users who are logged in. When a request is made, the application assumes it comes from the authenticated user because the session or cookie is present.

    Lack of Request Verification:

    Many web applications do not verify the origin of requests. They accept any request from an authenticated session without checking if it was intentionally made by the user.

    Same-Site Policy:

    Browsers send cookies with every request to the domain, regardless of where the request originates. This means that a malicious site can exploit this by sending requests that include your session cookies.

    Automatic Cookie Transmission:

    When a browser sends a request to a site where you’re logged in, it automatically includes cookies or tokens related to your session. Attackers can exploit this automatic behavior to perform unauthorized actions.

    Imagine this situation: You open your social media app like you do every day, but this time, you're logged out. You try to log back in using your usual email or phone number and password, but the app says they're invalid. This can be scary and confusing. Let's explore what might have happened and how it could relate to things like CSRF attacks.
     

    CSRF attacks

    How to keep our application safe from this attack:#

    To keep our application safe from this type of attack, we need to implement some key security strategies and best practices and you can take some precautions.

    1. Maintain user session on server with the csrf token. This token should be very unpredictable.
    2. Go STATELESS and manage authentication with the JWT token.
    3. Log Out When Not Using Accounts
    4. Avoid Clicking on Suspicious Links
    5. Keep Your Browser and Software Updated
    6. Use Security Extensions or Plugins

     

    This article explains CSRF attacks, how they exploit browser trust, and strategies to protect applications, including using CSRF tokens, JWT, updates, and safe browsing practices.

    Last updated on Dec 30, 2024

    Previous
    Spring Security Basic Introduction
    Next
    Cross-Site Scripting (XSS)