CSRF- Netflix and Youtube are victims of it

Photo by Samet Özer on Unsplash

The fundamental of CSRF

The fundamental of CSRF
  1. First, the user must log in to the page they need (Temporarily called site A).
  2. To seduce users, hackers will create a malicious website.
  3. When a user accesses this malicious web, a request will be sent to the A site that the hacker wants to attack (via form, img, …).
  4. Because ,there is a cookie attached to the user in this request, site A will mistakenly believe that this is a request made by the user.
  5. Hackers can impersonate users to do actions such as changing passwords, transferring money, …

Common types of attacks

Type 1. Use forms

Real site
Fake Site

Type 2. Use img tag

Prevention for website

Photo by Jeffrey F Lin on Unsplash
  • Use CSRF Token: In each form or request, we attach a CSRF token. This token is created based on the user’s session. When sending to the server, we check the authenticity of this session. Because this token is randomly generated based on session, hackers cannot fake it (frameworks like RoR, CodeIgniter, ASP.NET MVC all support CSRF token).
  • Check the Referer and Origin values ​​in the header: Origin tells us the website calls this request. This value is included in each request and cannot be edited by the hacker. Check for this value; if it is a strange page, then do not process the request.
  • Check the X-Requested-With: Request header that contains this header is a secure request because this header prevents us from sending requests to other domains (details).
  • Be careful to prevent XSS errors: With XSS, hackers can install malicious code on the website to attack. At this point, all anti-CSRF methods such as tokens, referrers are disabled.

Conclusion

Sources for further reference:

--

--

--

Always be nice to anybody who has access to my toothbrush.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Stripe is not available in my country. How can I be a Medium writer?

Listing at IndoEx Crypto-Exchange

Postman — HTB

Gigachad -: (Vulnhub) Walkthrough

Makeflo.ru Removal Guide — How to Get Rid of Makeflo.ru?

Wife big bit crime computer why.

The Internet Archive Is Being Used As A Disinformation Mule

How Can I Secure My Network & Devices Against Diverse Modes of Attack?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beribey

Beribey

Always be nice to anybody who has access to my toothbrush.

More from Medium

CircleCI - Enhance your CI/CD code with private orbs

With images, you can understand these updates faster. Let’s dig deeper.

Learn with Pinky Pea!!!

Bored of Selenium? Try out TestCafe!