To explain how the vulnerability takes place, we need to understand how the user’s browser and a website communicate.
Here, we’ll discuss two kinds of HTTP requests and browser cookies:
i. HTTP GET Request
When you visit a website, you send an HTTP GET request to the server of that website. This request will ask for the data that is needed to display the front-end of the site. The web server will respond and send the data requested. Then, the contents of the website will load on your browser.
When a person is not logged into a site, they are an unauthenticated user. So when GET and POST requests are sent, no cookies are used. There are no security issues in this scenario. But when the user has logged in, they are now an authenticated user.
ii. The CSRF Process
We’ll explain this with an example. Here, we’ll show you how a hacker can take control of a user’s account and then use it to hack your website using a CSRF vulnerability.
What Happens On The User Side?
- A user is logged into targetwebsite.com on their browser.
- Next, the hacker lures this user into clicking on trickwebsite.com by sending them an email that tells them to visit this site and sign up to receive $50 in their account. (These links can also be inserted on the targetwebsite.com itself using other vulnerabilities)
- We’re going to assume that the victim thinks this trick website is legitimate and falls for the scam. Here, they fill up a form with their details and click on ‘Submit’.
- On trickwebsite.com, the hacker has already placed HTML code behind this ‘Submit’ button. When clicked upon, it will send a POST request to targetwebsite.com (where the user is already logged in) on behalf of this user.
What Happens On The Website Side?
- Using cookies, targetwebsite.com verifies the user (and the browser) and allows the request. This request will look legitimate as it’s coming from the authenticated user.
- But the POST request sent contains malicious script that could do harm to the website. For instance, the script could contain a command to change the current account password to “newpassword123”.
- When the request is accepted by targetwebsite.com, the code will run and change the password. Then, the hacker will be able to login to the account using the new password and take full control.
- Next, the hacker can now run further attacks on the website. Depending on the privileges granted to this user, they might be able to access targetwebsite.com’s database and take control of functionality as well.
This is just one example of what a hacker can do using CSRF attacks. There are plenty of other scenarios that can take place. But both the user and the website will be affected by this hack.