What is CSRF Protection really for?

Question

I've been hearing about CSRF a long time ago, and the thing I hear most of the time is:

Protecting against CSRF attacks is important so that someone doesn't submit your form automatically (using a bot or something)

Well, that isn't 100% true, is it?

I've been doing web scraping for about 3 years, and it is pretty straightforward to make a request, parse the csrftokenmiddleware field and POST it along with the other fields.

So, what is it really for?

@agf I just read that question, and I don't see the duplication `:(` — Oscar Mederos, Apr 20 '12 at 07:54
You describe an "anonymous" post. It's all about protecting that post from happening with a real logged in user's credentials. — Cheekysoft, Apr 20 '12 at 09:30

score 18 · Answer 1 · answered Apr 20 '12 at 11:15

Imagine an e-banking web application at banking.example.com with the following form to submit a transaction:

<form action="/transaction" method="post">
    <input type="text" name="beneficiary"/>
    <input type="text" name="amount"/>
    <input type="submit" value="Pay"/>
</form>

An attacker could now set up a website at hacker.net with the following:

<form action="https://banking.example.com/transaction" method="post" style="visibility:hidden">
    <input type="text" name="beneficiary" value="John Doe, Account No. 34-236326-1"/>
    <input type="text" name="amount" value="1000000"/>
    <input type="submit" value="Pay"/>
</form>
<script>
    document.forms[0].submit();
</script>

The attacker would then trick victims into visiting hacker.net, which will cause the victims' browsers to send a POST request to the e-banking application, making a large transaction to the hacker. This works because the victim's browser happily sends the session cookie along with the forged POST request to the e-banking application. If the form would have been protected by a CSRF token, then the attacker could not have caused the victim's browser to send a valid POST request and thus the attack would not be possible.

This type of attack is called a Cross-Site Request Forgery (CSRF) attack.

Incidently, CSRF attacks are also the reason why people give the advice of never ever visiting other websites while being logged into an e-banking or other critical web application.

CSRF tokens do not protect a web form being automatically submitted by regular authorized users as themselves. To protect from that, you'd use a CAPTCHA.

How do you think this is different from validating the referrer on the server side? Without supporting csrf cookies but doing only this validation, I can still identify the attack. — Ethan, Jan 10 '13 at 14:26
Ok, I found out why the referrer is not used. It's blocked in many cases as it's considered to hold sensitive information sometimes. Corporates and their proxies typically do that. However, if HTTPS is used, then there is more likelihood that it will not be blocked. And, there are also mentions that the referrer can be spoofed. — Ethan, Jan 10 '13 at 21:27
I came across this question again while taking to a friend about CORS. `document.forms[0].submit();` wouldn't work anyway because of the same-origin policy, right? — Oscar Mederos, May 11 '16 at 21:07
No, for historical reasons, form submission is not subjected to the same-origin policy. — Daniel Roethlisberger, May 13 '16 at 09:06

score 9 · Answer 2 · edited May 23 '17 at 11:51

Yes, you can scrape the form and get the CSRF prevention token. But you can't submit the form without scraping the site, and you can't get a token from someone else and then submit the form -- it's linked to a session. That's what CSRF protection really prevents, someone tricking a user into submitting a form.

A more general description of CSRFs, originally posted in response to Django's comments framework and CSRF:

A CSRF is an attack where someone without permission to access a resource tricks someone who does have permission into accessing it.

So, for example, CSRF protection could prevent someone from tricking a user into posting a comment with a spam or malware link in it. Alternatively, the request they trick the user into making could be malformed, made to crash your webserver, or include code meant to slip through the validation process and cause damage to your database or compromise your site in other ways.

So without CSRF protection someone could, theoretically, trick a logged in user into submitting a comment they didn't actually write.

With CSRF protection, Django will detect that it wasn't real data submitted through the actual form on your site, and will reject it.

score 2 · Answer 3 · edited May 23 '17 at 11:51

2

You won't be able to

to make a request, parse the csrftokenmiddleware field and POST it along with the other fields.

because JS on a different domain won't be able to fetch and use data from your domain to construct requests if your server is configured properly.

Read about CORS.

edited May 23 '17 at 11:51

Community

1
1

answered Aug 12 '14 at 19:46

warmspringwinds

1,147
2
14
31

score 1 · Answer 4 · answered Apr 20 '12 at 08:00

It's a protection for a different type of scenario. Sometimes the attacker is able to inject either javascript, either iframes or img src-s to a page of yours, in a place that any logged in user can access. When user accesses the page (let's say a page with comments, and one comment requests a link by the attackers posting), that request is being made by the loggedin user's browser, altogether with his cookies. CSRF basically protects this kind of triggered submits (simple client-side submits). Of course, any attacker can request the page, parse it for the token and create the request with the token, but can not do this on beside of a logged in user.

What is CSRF Protection really for?

4 Answers4

Linked