Home Web App Security CSRF Attacks: How They Work and How to Stop Them

CSRF Attacks: How They Work and How to Stop Them

Web App Security By · May 12, 2025 · 0 Comment
CSRF-Attacks-How-They-Work-and-How-to-Stop-Them-home

Cross-Site Request Forgery (CSRF) is one of the most common web application vulnerabilities that can allow attackers to perform unauthorized actions on behalf of a legitimate user without their knowledge. In this article, we’ll walk through a practical example of a CSRF attack using the Damn Vulnerable Web Application (DVWA), a purposely vulnerable web app often used for learning and testing security techniques. By understanding how CSRF works, you can better protect your web applications from these attacks.

What is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that tricks a user into performing unwanted actions on a website where they are authenticated. The attacker exploits the trust that a web application has in the user’s browser, often by getting the user to unknowingly execute harmful requests like changing account settings or transferring money. Since these actions are taken under the authority of the user (with their session cookie), the attacker can gain full control of the user’s account.

Setting Up DVWA for CSRF Testing

To demonstrate how CSRF works, we will use the DVWA (Damn Vulnerable Web Application) which is a training ground for web application security. The first step in this process is setting up DVWA and configuring it to have a low-security level to expose vulnerabilities.

  • Login to DVWA
    After opening the DVWA app in your browser, use the default credentials to log in: Username: admin ,Password: password
  • Set Security Level to Low
    In the DVWA application, go to the security settings and set the security level to “Low.” This will disable several protection mechanisms, making the CSRF vulnerability easier to exploit.
  • Navigate to the CSRF Page
    In the left sidebar of the DVWA app, locate and click on the “CSRF” link. A password change form will appear with fields for a new password and a confirmation password, as well as a submit button.

CSRF-Attacks-How-They-Work-and-How-to-Stop-Them-1

Exploiting CSRF: Step-by-Step

To demonstrate how an attacker might exploit a CSRF vulnerability, we will simulate a scenario where an attacker is able to change the password of a victim without their knowledge.

  • Change the Password
    In the password change form, input any password (e.g., “password”) in both the “New password” and “Confirm password” fields. Once you submit the form, the DVWA will process the request, and your password will be changed. You will notice that the request is sent as a GET request with the following URL:
http://192.168.148.139/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#

CSRF-Attacks-How-They-Work-and-How-to-Stop-Them-2

This URL contains the new password in plain text, which can be intercepted and used in an attack.

  • Crafting the Malicious CSRF Attack
    Now that you know the structure of the GET request, an attacker can create a malicious HTML form that includes this URL. The attacker would create a fake page with a link that performs the same action without the victim’s consent. Below is the code for the malicious CSRF form (saved as csrf.html):
<!-- CSRF HTML form -->
<html>
<body>
<a href="http://192.168.148.139/dvwa/vulnerabilities/csrf/?password_new=testpassword&password_conf=testpassword&Change=Change#" target="_blank">Click Me</a>
</body>
</html>

In this form, the attacker has modified the password to “testpassword” and placed it within the GET request URL. The victim will not see any indication that their password is being changed, except for a “Click Me” link.

CSRF-Attacks-How-They-Work-and-How-to-Stop-Them-3

  • Sending the Malicious Link to the Victim
    After logging out and logging back in with a fresh session cookie, the attacker sends the csrf.html file to the victim. The victim, unaware of the malicious intent, opens the file in their browser and sees a button that says “Click Me.”

CSRF-Attacks-How-They-Work-and-How-to-Stop-Them-4

  • Victim Clicks the Malicious Link
    When the victim clicks the “Click Me” link, the password is changed on the server without their knowledge. The victim’s password is now set to “testpassword,” as specified in the malicious URL crafted by the attacker.

CSRF-Attacks-How-They-Work-and-How-to-Stop-Them-5

  • Attacker Logs In Using the Victim’s New Password
    With the password now changed to “testpassword,” the attacker can log in to the victim’s account using these new credentials, thereby gaining access to their account. The CSRF attack is now complete, and the attacker has successfully hijacked the victim’s account.

How to Protect Against CSRF Attacks

To prevent CSRF attacks, web developers should implement several defense mechanisms:

  • Use Anti-CSRF Tokens
    Each time a sensitive action is performed (like changing a password), a unique token should be included in the form or request. This token is checked on the server side to ensure the request is legitimate.
  • SameSite Cookies
    By setting the SameSite attribute on session cookies, you can prevent cookies from being sent with cross-site requests, mitigating the risk of CSRF.
  • Check Referrers
    Web applications should validate the Referer header to ensure that requests are coming from trusted sources.
  • Implementing Double Submit Cookies
    This technique involves sending the CSRF token both as a cookie and as a parameter in the request, ensuring that both values match on the server side.

Conclusion

CSRF attacks exploit the trust a website has in the user’s browser. By simulating a CSRF attack on DVWA, we can see how a simple malicious link can lead to account hijacking. However, by implementing security measures such as anti-CSRF tokens, SameSite cookies, and referer validation, developers can significantly reduce the risk of such attacks. Ensuring your web application is secure against CSRF is essential for maintaining user safety and preventing unauthorized access.

Related Posts

Top 10 Vulnerability Assessment Tools for Web Application Security

Web App Security By · May 30, 2025 · 0 Comment
In today’s digital age, securing web applications has become a critical priority for organizations worldwide. Cyber threats are constantly evolving, and attackers are always looking for vulnerabilities to exploit. That’s why conducting regular vulnerability assessments of web applications is essential... Read more

Top Nmap NSE Scripts for Kali Linux

Web App Security By · May 21, 2025 · 1 Comment
Top-Nmap-NSE-Scripts-for-Kali-Linux-home
Nmap (Network Mapper) is a leading open-source tool used for network discovery, service enumeration, and security auditing. Its capabilities are extended through the Nmap Scripting Engine (NSE), which allows users to write and execute custom scripts for a variety of... Read more

Remote File Inclusion (RFI) Vulnerability and Prevention

Web App Security By · May 14, 2025 · 0 Comment
Remote-File-Inclusion-RFI-Vulnerability-and-Prevention
In the ever-evolving landscape of cybersecurity threats, Remote File Inclusion (RFI) stands out as a critical vulnerability that can expose web applications to severe risks. Commonly found in poorly coded PHP applications, RFI allows attackers to include and execute malicious... Read more

Understanding the OWASP 2021 Top 10 Risks

Web App Security By · May 12, 2025 · 0 Comment
Understanding-the-OWASP-2021-Top-10-Risks
Web application security is more important than ever, with data breaches and cyberattacks becoming increasingly common. The OWASP Top 10 is a globally recognized list of the most critical security risks facing modern web applications. Published by the Open Web... Read more

Information Gathering of a Website: Techniques and Tools

Web App Security By · May 12, 2025 · 0 Comment
Information-Gathering-of-a-Website-Techniques-and-Tools
Information gathering is the first and one of the most crucial steps in ethical hacking and cybersecurity assessments. Before launching any penetration test or vulnerability scan, cybersecurity professionals must collect as much data as possible about the target website. This... Read more

How to Prevent and Detect Session Fixation Vulnerabilities

Web App Security By · May 6, 2025 · 0 Comment
How-to-Prevent-and-Detect-Session-Fixation-Vulnerabilities
Session fixation vulnerabilities are one of the most critical security issues in web applications. They allow an attacker to take control of a user’s active session, potentially leading to unauthorized access to sensitive information, account hijacking, and other malicious activities.... Read more

How Command Execution/Injection Attacks Work

Web App Security By · April 23, 2025 · 1 Comment
How-Command-Execution-Injection-Attacks-Work-home
Introduction Command execution or injection attacks are a type of vulnerability that can compromise the security of web applications. These attacks allow malicious users to execute arbitrary commands on the server, often leading to unauthorized access to sensitive data or... Read more

Understanding XSS Attacks: Types, Demos & Prevention

Web App Security By · April 11, 2025 · 4 Comments
Understanding-XSS-Attacks-Types-Demos-Prevention-home
Cross-Site Scripting (XSS) is one of the most common vulnerabilities that web applications face today. XSS attacks occur when an attacker injects malicious scripts into web pages viewed by others, which can lead to significant security risks such as data... Read more

Understanding Local File Inclusion (LFI) in Web Apps

Web App Security By · March 28, 2025 · 1 Comment
Understanding-Local-File-Inclusion-(LFI)-in-Web-Apps-home
Local File Inclusion (LFI) vulnerabilities are a significant security risk in web applications that fail to properly validate user-supplied input, allowing attackers to include files from the local system. These vulnerabilities can lead to severe security breaches, such as unauthorized... Read more