Cross-Site Request Forgery

Fleeting

• Référence externe : https://owasp.org/www-community/attacks/csrf
• Référence externe : https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
• Référence externe : https://en.wikipedia.org/wiki/Cross-site_request_forgery

Cross site request forgery or CSRF

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

web browser to perform an unwanted action on an other trusted site where the user is authenticated

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

possible when browser automatically sends authorization resource, such as session cookie, IP address or similar with each request.

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

easy to implement patterns that prevent this web attacks. One of the most common pattern is usage of CSRF token. Basically procedure is following:

• Generate unique token for each user’s request, so called CSRF token.
• Store it safely on server and send it back to user as payload of response.
• Store CSRF token on client side.
• When user tries to execute any state-changing* request send that CSRF token with request as a payload.
• Before executing that request on server side check if CSRF token is present and it is valid.

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

If you are are dealing only with visitors that uses modern browsers then you can rely on SameSite attribute of session cookie

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

no protection on CSRF attack if your web application is XSS vulnerable!

— https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend

— https://en.wikipedia.org/wiki/Cross-site_request_forgery

Remember that Cross-Site Scripting (XSS) can defeat all CSRF mitigation techniques

— https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests.

— https://owasp.org/www-community/attacks/csrf

CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something

— https://owasp.org/www-community/attacks/csrf

For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.

— https://owasp.org/www-community/attacks/csrf

Notes pointant ici

• ory Cookie-based security model
• Securing-SPAs-and-Blazor-Applications-using-the-BFF-Backend-for-Frontend-Pattern-Dominick-Baier
• trying authenticating to keycloak using google as Identity Provider

Permalink