What is Cross-site request forgery or CSRF/XSRF ?

Cross-site request forgery CSRF / XSRF : CSRF is a security threat which was available on many crucial websites like banks, government etc. It allows the unauthorized user to make requests to the application, without the knowledge of actual user. Let’s get in detail.

Cross-site request- forgery-Nibodha-Preferred-Vacation-Rental-Technology-Partner-CSRF-XSRF

When do CSRF happens?

Let’s take a scenario, the user logs into his bank account from a browser, then before logging out, the user browses other sites (some evil sites) on another tab on the same browser. Then the evil site might have some links or java scripts running, which will make a request to the bank site to transfer money to evil users account. CSRF exploits the trust that a site had on user’s browser.Cross-site request- forgery-Nibodha-Preferred-Vacation-Rental-Technology-Partner-CSRF-XSRF

How to prevent this?

Most common method to handle is Synchronizer token pattern, even though there are multiple other mechanisms. As per the Synchronizer token pattern method, we will be using a unique secret token, which will be generated and send from the client to server by embedding it on the HTML form and is verified on the server side. There are different methods for creating tokens, like hashing. The evil user will not be able to place the token on the request.

CSRF / XSRF token mismatch Issue : As we said if the user  token send from the client to server is not successfully verified, then It will throw a 500 Internal Server Error message CSRF/XSRF token mismatch.

CSRF / XSRF token mismatch Issue on clustered environment : When we are having multiple application servers running in parallel with load balancer, then the load balancer might send the requests to different application servers for each request, because of that the token will get miss matched. For solving this issue, We can use Sticky Session(session affinity), which will bind a user’s session to one specific application server, so that it will not have a token miss match.

Cross-site request- forgery-Nibodha-Preferred-Vacation-Rental-Technology-Partner-CSRF-XSRF

For more details

Visit :

Wiki and Sticky Session

Image Credits:  Grasshopper.com, blog.iyogi

 

More Blogs from Vafion:

Congratulations, Kerala tourism on winning the travel oscars.

Earned Media Vs OTA Ranking?

Vafion Website | Linkedin Page

Similar Posts:

Related Posts

Stay UpdatedSubscribe and Get the latest updates from Vafion