Cross-Site Request Forgery

A typical Cross-Site Request Forgery (CSRF or XSRF) attack aims to perform an operation in a web application on behalf of a user without their explicit consent. In general, it doesn't directly steal the user's identity, but it exploits the user to carry out an action without their will. For example, it can lead the user to change their email address or password in their profile or even perform a money transfer.

In a nutshell, a typical CSRF attack happens as follows:

1. The attacker leads the user to perform an action, like visiting a web page, clicking a link, or similar.

2. This action sends an HTTP request to a website on behalf of the user.

3. If the user has an active authenticated session on the trusted website, the request is processed as a legitimate request sent by the user.

As you can see, having the website affected by a CSRF vulnerability is not enough to make the attack successful. The user must also have an active session on the website.

CSRF Defenses Strategies

1. Making sure that the request you're receiving is valid, i.e., it comes from a form generated by the server.

2. Making sure that the request comes from a legitimate client.

The typical approach to validate requests is using a CSRF token, sometimes also called anti-CSRF token. A CSRF token is a value proving that you're sending a request from a form or a link generated by the server. In other words, when the server sends a form to the client, it attaches a unique random value (the CSRF token) to it that the client needs to send back. When the server receives the request from that form, it compares the received token value with the previously generated value. If they match, it assumes that the request is valid.