Cross Site Request Forgery CSRF Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In most organizations, the browser is a major application in workstations. Most applications like Webmail, mobile banking, specializes utility software are designed to run on this thin client which is made accessible from various networks either private like VPN or public like the Internet. They could contain proprietary information and require authentication, or be accessible to everyone. But all of them can be accessed from a browser using http or https protocols. These use of these applications are dependent on browsers; which are also dependent on the trust between the browser and the application server. These trusts have been exploited using Cross Site Request Forgery, abbreviated as CSRF (pronounced sea-surf).

Cross Site Request Forgery works by exploiting the trust between the site and the user. Every CSRF attack is masqueraded; in other words , the attacker assumes the identity of the legit user and everything done will reflect the original user as the source . The attacker , usually ,will hide malicious HTML or JavaScript code into an email or website to request a specific 'task url' which executes without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw. It quite challenging to detect attacks like these because no command is executed outside of the local host .

When utilizing CSRF , an attacker can perform almost every task allowed by the browser. This could include posting content to a message board, subscribing to an online newsletter, performing stock trades, using a shopping cart, or even sending an e-card. CSRF can also be used as a vector to exploit existing Cross-site Scripting flaws in a given application.. An attacker could also utilize CSRF to relay an attack against a site of their choosing, as well as perform a Denial Of Service attack in the right circumstances. Cross-site request forgery vulnerabilities are dangerous, because they may enable an attacker to perform an unauthorized action in a web application with the rights of a legitimate user and without his consent. Indeed, the request forged by a CSRF attack may contain the information used by the web application to authenticate the user (cookie, HTTP authentication). Since the request is made from the browser of the targeted user, it may enable an intruder to send requests to servers on the internal network as shown in the picture below. The red box depicts the internal network of an establishment, while the computer on the outside is the intruder. It attacks the computer on the inside and uses its browser and authentication credentials to perform tasks on the internal server of the establishment

As mentioned above, most CSRF attacks are carried out using embedded scripts in HTML tags, JavaScript, or even image tags. Typically an attacker will embed these into an email or website so when the user loads the page or email, they perform a web request to any URL of the attackers liking.  Below is a list of the common ways that an attacker may try sending a request.

HTML Methods


  <img src="http://host/?command">


  <script src="http://host/?command"> 


  <iframe src="http://host/?command">

JavaScript Methods

'Image' Object


  var foo = new Image();

  foo.src = "http://host/?command";


PS : The host variable in the tag represents the host portion of a URL or IP address .


<body onload="document.f.submit()">

<iframe src="http://localhost:10000/" name="iframeWebmin" id="iframeWebmin">


<form action="https://localhost:10000/useradmin/save_user.cgi"

name="f" target="iframeWebmin">

<input type="hidden" name="user" value="CSRF" />

<input type="hidden" name="uid_def" value="0" />


<input type="hidden" name="others" value="1" />

<input type="submit" value="submit" />




CSRF attack, like any other attack is designed to take charge of a repository. The repository could be an access server, a database server, a router, a DNS server etc. The main purpose of the attack is to make these servers do what the program is designed to carry out. It could be to steal information, manipulate information, destroy information or compromise the efficacy of the information for personal gain or just for fun. These malicious acts are counter-productive to the development of any establishment. In an event of an attack it will cost time, money to fix , and in some cases the destroyed information may never be recovered .Depending on the sensitivity of the information involved, litigation may not be avoided ; for instance ; as a network manager of a financial institution , if a breach on your server containing financial records of the institution's customer is recorded , there may be a lawsuit of those information end up in the wrong hand and used against the customers . Or even on the Active Directory , all company-proprietary information is out in the open .

In addition , Internal auditor , in its journal stated , as of 2001 " computer breaches now cost each affected US company $2million every year " . According that journal a total over $377million dollars was recorded as aggregate losses of 200 companies in year 2000 . These losses will have to be covered from somewhere ; either the company have to raise the raise the price of goods and services they offer or begin to cut corners, if they are production firms .These ultimately leads to lob loss or lower standard of living .

As administrators, it is our duty to make sure these breaches are reduced to the bare minimum. Network architecture , distribution , management and auditing plays a vital important role in the security of the network . According to Hubert Mattord and Michael Whitman , authors of Principles of Information Security , " …. Security breaches are mostly caused by internal users than external sources " . With that known , as administrators, the security of the internal network should be as hardened as the external network .

Achieving a water-tight security on the network does not apply to computers and network elements only; it extends to the users as well. The damage a user can cause on the network is always limited to the privilege extended to that user. It is important to note that all users and programs should be given just about the least privileges required to perform their assigned tasks. This will limit the security loop hole on the network; make more resources available for other users as well as make accountability lot easier when auditing is performed (Principle of least privilege). It may involve disallowing several programs like Java , JavaScript, ActiveX and some other add-ons to run on the corporate intranet . Yes the page may look ugly and funny but it is better protected than sorry.

In addition, using traps from SNMP enabled clients allow administrator remotely keep tabs on network devices. For instance, if there is an installed MIB (Management Information Base) in the router that monitors traffic to a prohibited URL, and there is a violation of that policy; the administrator gets an alert on that incident. That gives total control on the network whether he is on-site or off-site. The MIBs are not limited to traffic leaving the network , there are also several other MIBs available from Cisco , Juniper , Avaya etc that are capable of monitoring several metrics like threshold on successful pings to the interfaces on the router ; ping sweeps are usually monitored with this utility .

In conclusion, CSRF, as trivial as the concept might sound, could be an indication of bigger attacks waiting to happen. As administrators, we a charged to make sure we don't fall victim of these malicious scripts pretending to be legit. Making sure no one or no software has more privilege than required to do its job, and all traffic in and out of the network as a corresponding MIB in the router monitoring its metrics.