Last Updated on April 6, 2021 by Calvin C.
A CSRF attack (Cross-Site Request Forgery) is a type of attack in which a malicious request is sent by an unsuspecting, authenticated user to a web application. It is also called:
- One-click attack
- Session riding
- Sea surf
- Hostile linking
In this situation the attacker tricks the unfortunate victim into sending requests on their behalf.
Once there is an active administrative session, the attacker can take control of the session or alter settings.
Background of CSRF attack
This is an extension of the previous article on ways to secure your network. You can read it here.
CSRF attacks have been around since early 2000 and in most cases the attack leaves no trace because an authentic user is used to carry out the attack
In the attack, the victim performs unwanted actions on a web application that they have access to and these actions may include:
- Changing a password
- Transferring funds
- Changing email address
- Other administrative changes
Most of the time, browser requests have credentials associated with a target site, like cookies, IP address, domain credentials etc.
Therefore, the site cannot distinguish between requests generated by an attacker or by the user since proper authentication is used.
One thing to note is that in a CSRF attack, what the attacker wants is for the user to change the state of the server, as opposed to retrieving data.
Retrieving data doesn’t benefit the attacker because since it’s an authentic request, the response is received by the victim, not the attacker.
However, once the server has been compromised, the attacker can take advantage of the newfound gap to mount further attacks.
How do attackers pin their victims?
One of the ways in which an attacker lures the victim is by using a bit of social engineering.
The goal is to trick the victim into performing specific tasks that cause actions like delivery of malware or altering settings.
Social engineering comes in one these 4 ways:
Here, social engineering is executed over the phone.
One example is a call from the attacker pretending to be a bank assistant. The victim may be asked to perform certain actions like responding to an email.
Most cases of phishing involve the attacker sending an email to the victim.
The email usually prompts the user to click a link to execute a specific request or risk facing a penalty or missing a deadline.
In this case, the attacker masquerades as someone from a financial institutional or some other legitimate business.
This is another similar attack that makes use of SMS messages to lure a victim into clicking malicious links or giving up sensitive information.
What is effective against CSRF attacks?
Synchronizer token pattern, also called anti-CSRF token
The web application sends a unique token to the user browser and checks to see if it is sent back.
This token is randomly generated and cannot be guessed by the attacker, so if nothing is sent back, the target application doesn’t run.
Same site flag in cookies
Here cookies are marked “SameSite” so they are only sent with requests that originate from the same domain and exclude the attacker’s domain.
What is not effective against CSRF attacks?
An attack can still occur over HTTPS.
Multi-step transactions do not help either because if the attacker is able to predict when a transaction is complete, a CSRF attack can be mounted.
Even if secret cookies are used, they can still be submitted with every request so a CSRF attack can occur.
Accepting POST requests only by web applications is also ineffective because the attacker can trick the user to submit forged POST requests.
CSRF attack on routers
A CSRF attack can be mounted against your WiFi router and the attacker controls or alters settings of the hardware.
Once they are in, they can cause a great deal of damage that includes corrupting data or setting up means to carry out remote attacks.
Tell-tale signs of a CSRF attack on your router vary, but common ones are changes in:
- Remote access settings
- DNS server settings
- VPN profiles
- Number of admin users
The nature of the changes depend on what the attackers want to achieve.
In most cases, you realize that you have been attacked when it’s too late.
Protecting your router against CSRF attacks
- Do not open other sessions when administering a router
- Make sure you log out of the admin panel when you have finished accessing the admin panel
- Only open the control panel when there is need to change admin settings
- Keep the firmware up-to-date
- If there is a physical button to log out of the admin panel, use it.
- Before you administer a router, restart the browser
- Keep auto-log out active so that you are logged out when there is prolonged inactivity
CSRF attacks are amongst the most serious attacks that compromise security and privacy.
As I highlighted above, it is difficult to detect it because you are the one who authenticates access to an application or hardware.
The only mistake is that you leave an active session, giving an attacker time to mount an attack.
Online security and privacy is also protected by a reliable VPN service.
You can install one on your router and encrypt all the traffic that is connected to the WiFi network.
- Our overall best VPN for routers is NordVPN
Leave comments below and support us by sharing the post with your friends. Stay safe!