in this series of articles, we will discuss Cross-Site Request Forgery also well known as CSRF, XSRF, or Sea Turtle. CSRF attack is an attack that tricks victims to perform the task on their behalf. The impact of the attack depends on the level of permission that the victims have. CSRF attacks make inside OWASP top 10 list the most critical attack on web app.

How CSRF attack is executed
There are two main parts to perform a CSRF attack. The first one is trick victims to click a malicious link, normally this is done through social engineering. The second one is sending an HTTP request from the victim’s browser to the server.

Using this way, when the victims made a request to the browser, the victim’s browser would check if it is any cookies that are associated with the browser. if so these cookies are included inside the request to send to the website. the cookie typically contains user authentication data.

CSRF attack example using GET and POST request

GET
When the victims click the malicious link, it actually sends a GET request to HTTP server. as Example:

http://abc.com/transfer?amount=10000&account=alvin

let’s imagine the ABC bank is actually performing fund transfer using get request. When the victims accidentally click the URL above, the victims actually send a request to the server, which tells them to transfer the amount of money to the account name Alvin

POST

To perform CSRF using a POST request we need to writes a few lines of code.
as Examples:
the following javascript onload means automatically send a request from the victim’s browser as soon as the page is loaded

<body onload="document.csrf.submit()">
 
<form action="http://abc.com/transfer" method="POST" name="csrf">
	<input type="hidden" name="amount" value="10000">
	<input type="hidden" name="account" value="Alfred">
</form>

Preventing CSRF Vulnerability and How Laravel Prevent CSRF Attacks

To prevent Cross-site Request Form we use a challenge token and there is sent as hidden value inside the form. the token called an anti-CSRF token or synchronizer token work as follows:

• The web server generates a token and stores it
• The token is statically set as a hidden field of the form
• The form is submitted by the user
• The token is included in the POST request data
• The application compares the token generated and stored by the application with the token sent in the request
• If these tokens match, the request is valid
• If these tokens do not match, the request is invalid and is rejected

For those using Laravel, Laravel makes it easy to protect your web application from CSRF attacks. Anytime you define an HTML form in your application, you should include a hidden CSRF token field in the form so that the CSRF protection middleware can validate the request. You may use the ‘@csrf’ Blade directive to generate the token field. example:

<form method="POST" action="/profile">
    @csrf
    ...
</form>