Cross-Site Request Forgery (CSRF), also known as a one-click attack or session riding, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.
Imagine this scenario: You’re logged into your online banking account. A malicious website contains a hidden form that’s automatically submitted to your bank. This form might contain a request to transfer funds. Because you’re already logged in, your bank will authenticate the request without further prompting, potentially resulting in a fraudulent transaction. This is a CSRF attack.
How CSRF Works
CSRF exploits the trust a website has in its users’ browsers. The attacker doesn’t need to know the victim’s password or login credentials. Instead, they leverage the victim’s already established session.
The attack typically involves:
- Malicious Website: This website contains the hidden form or script that initiates the unwanted action.
- Victim’s Browser: The victim’s browser is already logged into the target website (e.g., online banking).
- Target Website: The website that’s vulnerable to the attack.
When the victim visits the malicious website, their browser automatically sends the request to the target website, completing the malicious action without the victim’s knowledge or consent.
CSRF Tokens
The most effective defense against CSRF attacks is using CSRF tokens. These are unique, unpredictable values that are generated by the server and included in forms and requests.
When a user submits a form, the server verifies that the token submitted matches the token stored in the user’s session. If they don’t match, it indicates a possible CSRF attack and the request is rejected.
Implementing CSRF Protection with Node.js
Here’s a simplified example of how to implement CSRF protection with Node.js and Express.
const express = require('express');
const crypto = require('crypto');
const app = express();
app.use(express.urlencoded({ extended: true }));
app.get('/protected', (req, res) => {
const csrfToken = crypto.randomBytes(16).toString('hex');
req.session.csrfToken = csrfToken;
res.render('protected', { csrfToken });
});
app.post('/protected', (req, res) => {
if (req.session.csrfToken === req.body.csrfToken) {
// Process the form data
res.send('Form submitted successfully!');
} else {
res.send('CSRF attack detected!');
}
});
app.listen(3000, () => console.log('Server listening on port 3000'));
Note: This is a simplified example and lacks robust error handling and session management. In a production environment, use a dedicated session management library like `express-session` and consider using a more secure random token generation method.
When to Use CSRF Protection
CSRF protection should be implemented for any website that handles user data that can be modified or that performs actions on behalf of the user. This includes:
- Online banking
- E-commerce websites
- Social media platforms
- Any website with user accounts and sensitive data
Implementing CSRF protection is crucial for securing web applications and protecting users from malicious attacks.