Skip to main content

Cross-site request forgery

Description

The applications configuration allows an attacker to trick authenticated users into executing actions without their consent.

Impact

Impersonate a user request to execute malicious actions in the application.

Recommendation

Use of tokens in forms to verify requests done by legitimate users.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application should make use of unique tokens included in the forms, to validate requests and avoid manipulated data

<html>
<body>
<input type="hidden" name="csrf-token" value="CIwNZNlR4XbisJF39I8yWnWX9wX4WFoz" />
<input type="text" name="name" id="name" placeholder="Name" required/>
<label id="icon" for="name"><i class="fas fa-unlock-alt"></i></label>
<input type="password" name="name" id="name" placeholder="Password" required/>
</body>
</html>

Other options would be to use frameworks with built-in CSRF protection

Non compliant code

Vulnerable request that could be potentially handled by the application, it defines a set value for a cookie session which would be shared among all the subdomains. It is also using a GET request to change state data

GET /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE
[email protected]

Requirements