Insecure Access Control
Cross-Site Request Forgery
About Cross-Site Request Forgery (CSRF)
What is Cross-Site Request Forgery?
Cross-site request forgery (CSRF or XSRF) is a type of web application vulnerability that allows an attacker to exploit the trust relationship between a user's web browser and a web application. The vulnerability occurs when a web application doesn't adequately verify that a request comes from an authorized user, and it can allow an attacker to force an unsuspecting user to perform actions on the application without their knowledge or consent.
In a CSRF attack, an attacker will create a malicious website or email that contains a link or form that automatically sends a request to the vulnerable web application. If the victim clicks on the link or submits the form, the request will be sent to the web application, and the application will assume that it was initiated by the legitimate user.
Check out this video for a high-level explanation:
What is the impact of Cross-Site Request Forgery?
Some potential impacts of CSRF attacks are:
- Unauthorized actions: An attacker can use a CSRF attack to force a user to perform unauthorized actions on the vulnerable web application, such as changing their password, making unauthorized purchases, or deleting or modifying data.
- Data breaches: An attacker can use a CSRF attack to override sensitive information from the vulnerable web application, such as login credentials.
- Financial loss: An attacker can use a CSRF attack to force a user to make unauthorized financial transactions, resulting in financial loss for the victim.
- Reputation damage: A successful attack exploiting a CSRF vulnerability can lead to loss of customer trust and reputational damage for the organization.
- Regulatory violations: A successful attack exploiting a CSRF vulnerability can lead to violations of regulatory requirements, such as data protection laws.
How to prevent Cross-Site Request Forgery?
To prevent cross-site request forgery (CSRF) attacks, web applications can implement the following measures:
- Implement CSRF tokens: Use CSRF tokens to ensure that requests are made by legitimate users and not by attackers. The token is a unique value that is generated for each user session, and it is included in each form or link request. The server-side application checks that the token matches the user's session, and if not, it rejects the request.
- Use HTTP Referer header validation: Validate the HTTP Referer header to ensure that requests are coming from the expected source. This can help prevent attackers from spoofing the source of a request.
- Use anti-CSRF frameworks: Use anti-CSRF frameworks or libraries that provide built-in protection against CSRF attacks, such as Django's CSRF protection, Spring Security's CSRF protection, or the OWASP CSRFGuard library.
- Use SameSite cookies: Use SameSite cookies to prevent CSRF attacks that leverage session hijacking through cross-site scripting (XSS) vulnerabilities.
- Limit the use of HTTP methods: Limit the use of sensitive HTTP methods (e.g. PUT, DELETE) to authenticated and authorized users only.
References
Taxonomies
Explanation & Prevention
- OWASP: Cross-Site Request Forgery (CSRF)
- OWASP: Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- OWASP: Testing for Cross-Site Request Forgery (CSRF)
- OWASP: CSRFGuard
- Portswigger - CSRF
Related CVEs
Training
Fixing Cross-Site Request Forgery
A CSRF vulnerability has been detected by our runtime engines.
Fixing advice for common languages is listed below:
Open Redirects
About Open Redirects
What are open redirects?
Open redirect is a web application vulnerability that occurs when an application uses unvalidated user input as part of a redirect URL.
An attacker can exploit this vulnerability by manipulating the input to redirect a victim to a malicious site. The impact of this vulnerability can range from phishing attacks to theft of sensitive information.
Check out this video for a high-level explanation:
What is the impact of open redirects?
An open redirect vulnerability can allow an attacker to:
- Conduct phishing attacks: An attacker can trick a victim into clicking a link that appears to be legitimate but actually redirects them to a malicious website where their sensitive information can be compromised.
- Steal sensitive information: An attacker can craft a URL that appears to be legitimate but redirects to a site that steals the victim's sensitive information, such as login credentials or credit card information.
- Distribute malware: An attacker can use an open redirect to send victims to a site that distributes malware, allowing them to gain control of the victim's device.
How to prevent open redirects?
To prevent improper open redirect vulnerabilities, it is important to implement secure coding practices, including:
- Validate redirect URLs: Ensure that all redirect URLs are validated and verified before being used in the application. This can include ensuring that the redirect URL is within the same domain as the current page or using an allow list of permitted domains.
- Avoid using untrusted input: Avoid using untrusted user input as part of a redirect URL. Use a standard URL-building function instead, which allows you to control the parameters used in the redirect URL.
- Implement security headers: Implement security headers such as Content-Security-Policy (CSP) and X-Frame-Options to help prevent open redirect attacks.
- Use secure coding practices: Use secure coding practices to prevent open redirect vulnerabilities. This includes input validation, output encoding, and regular security audits.
References
Taxonomies
Explanation & Prevention
Related CVEs
Training
Fixing Open Redirects
An open redirect has been detected by our runtime engines.
Fixing advice for common languages is listed below:
Session ID In URL
About Sensitive Data in URLs
What is Sensitive Data in URLs?
Sensitive data in URLs refers to confidential or personally identifiable information that is included in the web address (URL) of a webpage. This can include information such as usernames, passwords, session IDs, credit card numbers, and other sensitive information that should not be visible or accessible to unauthorized parties.
Sensitive data in URLs can be a security risk because URLs can be intercepted and viewed by third parties, such as internet service providers, proxies, or attackers who are monitoring network traffic. If sensitive data is included in a URL, it can be captured and used by attackers to gain unauthorized access to user accounts, steal sensitive information, or carry out other types of attacks.
Check out this video for a high-level explanation:
What is the impact of Sensitive Data in URLs?
Sensitive data in URLs can lead to various security threats, such as:
- Information disclosure: Sensitive data in URLs can be intercepted by attackers, leading to the exposure of confidential or personally identifiable information.
- Account hijacking: Attackers can use sensitive data in URLs, such as session IDs, to gain unauthorized access to user accounts and perform various malicious activities, such as stealing sensitive information or modifying account settings.
- Phishing attacks: Attackers can create fake web pages that mimic legitimate sites and include sensitive data in URLs to trick users into revealing their login credentials or other sensitive information.
- Cross-site scripting (XSS) attacks: Attackers can inject malicious code into URLs that, when executed by a user's browser, can steal sensitive data, such as cookies or session IDs.
Overall, sensitive data in URLs can compromise the confidentiality, integrity, and availability of user data, leading to a range of security threats and risks.
Attackers can obtain information from query strings that can be utilized in attacks against the application and its users.
How to prevent Sensitive Data in URLs?
To mitigate the risk of sensitive data in URLs, follow security best practices, such as encrypting data using secure protocols like HTTPS, avoiding the use of GET requests for sensitive data, and using session tokens or cookies to manage user sessions instead of embedding session IDs in URLs.
By following these best practices, web applications can help protect sensitive data and ensure the security and privacy of user information.
References
Taxonomies
Explanation & Prevention
Related CVEs
Training
Fixing Session ID In URLs
A Session ID has been detected in a URL by our runtime engines.
Fixing advice for common languages is listed below: