CSRF- Netflix and Youtube are victims of it

Photo by Samet Özer on Unsplash

The fundamental of CSRF

The fundamental of CSRF
  1. First, the user must log in to the page they need (Temporarily called site A).
  2. To seduce users, hackers will create a malicious website.
  3. When a user accesses this malicious web, a request will be sent to the A site that the hacker wants to attack (via form, img, …).
  4. Because ,there is a cookie attached to the user in this request, site A will mistakenly believe that this is a request made by the user.
  5. Hackers can impersonate users to do actions such as changing passwords, transferring money, …

Common types of attacks

Type 1. Use forms

Real site
Fake Site

Type 2. Use img tag

Prevention for website

Photo by Jeffrey F Lin on Unsplash
  • Use CSRF Token: In each form or request, we attach a CSRF token. This token is created based on the user’s session. When sending to the server, we check the authenticity of this session. Because this token is randomly generated based on session, hackers cannot fake it (frameworks like RoR, CodeIgniter, ASP.NET MVC all support CSRF token).
  • Check the Referer and Origin values ​​in the header: Origin tells us the website calls this request. This value is included in each request and cannot be edited by the hacker. Check for this value; if it is a strange page, then do not process the request.
  • Check the X-Requested-With: Request header that contains this header is a secure request because this header prevents us from sending requests to other domains (details).
  • Be careful to prevent XSS errors: With XSS, hackers can install malicious code on the website to attack. At this point, all anti-CSRF methods such as tokens, referrers are disabled.

Conclusion

Sources for further reference:

--

--

--

Always be nice to anybody who has access to my toothbrush.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

U.S. Bank Transaction Refund Sample Letter

How to add CTR token to Trust Wallet

What to Do When Your Facebook Account is Hacked

InvArch news for half of January 2022

Diversified Crypto Payment Method: Spend Your Crypto On LuxFi NFT Marketplace Beta Version

MVP Testnet: Practice Makes Perfect

Musings on the HITAC special meeting on TEFCA, 13 Oct 2021

Antivirus Software vs HackenAI: Is there a Difference?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beribey

Beribey

Always be nice to anybody who has access to my toothbrush.

More from Medium

Clone of IdeaKart.com

Coding Diaries — BITS Pilani Postman API Hackathon 1.0

What happens when you type a url in your browser and press Enter

Popular Backend Frameworks in 2022: What Are They and Which One to Choose