This article deals with basic, Web security Cross Site Request Forgery CSRF procedures and how to be safe from this malicious attack script execution on your website. CSRF is a attack that tricks the user to send malicious request to a web server. even he is not an attacker. the user can be tricked from out side emails spams and so fourth.
For example, you’ll get a Spam mail to your mail box where the email contains a link. and some how the attacker (Spammer) uses his social Engineering to make you to click on that link. the link it self contain malicious codes. when you click that link the code executes on web-server and the victim web site can be effected by that link.
HTTPS access :
This attack cannot be defended if you use WAF, HoneyPot or any firewall services.
URL rewriting:
changing URL cannot be the good method to be safe from this attack because, however you can mask url but the session ID remains the same, even a kid can explode the session, cookies data and put malicious code in that and it will execute nicely on web site.
Make using HTTP-POST request:
Even you can develop website using only POST request it’s simple and safe and you also can use some server side scripting techniques to filter whether the request is POST if so you can respond if not you can directly ignore the request. But remember! this is not a good method and working method to stop the user to execute CSRF. because however you prevent the user to make other request but attacker can build a POST request it self in any other site and he can make use of JavaScript to trigger this malicious code to execute on your website.
Secrete cookies:
This attack cannot be prevented using secrete cookies because however all the cookies are saved in browsers so the attacker can crack it and put malicious code to execute on your website.
How this attack can be deafened?
There is only one answer , The Validation of the form-data which you send from client side to server side and modern browsers doesn’t support cracking cookies but however if attacker used old browsers to make this work you can put Access-Control-Allow-Origin: *
Header on the form-data so that no user can crack this request or he cannot make forge the request and send to server. CORS(Cross Origin Resource Sharing) its a HTML 5 security system that defend against this attack.
We will discuss this attack and prevention measures practically on the next part of this article.
I hope this was helpful to understand CSRF attack.
