blog posts

CSRF

What is CSRF attack and How to prevent it ?

Laravel’s popular framework, at the same time, has many points and details that require care and time to learn. One of the critical points in the security discussion is CSRF protection in Laravel, which protects web applications against Cross-Site Request Forgery attacks. Understanding these types of attacks and how to deal with them is one of the most important things that any Laravel programmer should be aware of.

If you are a Laravel programmer or have a website and do not want your website to get outdone by a CSRF attack in Laravel, stay tuned to the SunLearn programming training website for the rest of this article.

What is a CSRF attack?

CSRF stands for Cross-Site Request Forgery, which means falsifying a request through the site. CSRF is a web-based security loophole that allows an attacker to force users to do things they do not intend to do. This attack allows the attacker to circumvent policies designed to prevent different websites from interfering with each other’s work. For example, google.com users enter their google.com/logout address to delete their browser cookies and log out as a result. Now, if one of the users on another site (for example, in a crowded forum) sends an image with the following img tag and other people in that forum see this image.

A request will be sent to Google’s site by their browser, causing everyone to see that image removed from their Google Account.

< img src = “http://www.google.com/logout/” alt = “” />

Of course, this was a simple and safe example. There are other very dangerous situations.

How does CSRF work?

The CSRF prevents web applications from distinguishing between valid and fake requests controlled by an attacker. There are many ways for an attacker to exploit the CSRF security hole. To better understand this type of attack, we will give an example to describe how CSRF attacks in Laravel.

Suppose a person named Bob has an online bank account at samplebank.com. He visits this site regularly to do his business. Bob does not know that samplebank.com is vulnerable to attacks. An attacker, meanwhile, plans to use the vulnerability to transfer $ 5,000 from Bob’s account to another.

To make this attack successful:

  • An attacker must create an exploitable URL.
  • The attacker must trick Bob into clicking on the exploit URL.
  • To log in and work with your account, Bob needs an active session at samplebank.com.

Next, Bob submits a GET request to transfer money to the bank’s website. Thus, the request to transfer $ 500 to another account (account number 213367) may be as follows:

GET https://samplebank.com/onlinebanking/transfer?amount=500&accountNumber=213367

As mentioned earlier, for an attack to be successful, an attacker would have to create a malicious URL to transfer $ 5,000 to account 425654.

https: //samplebank.com/onlinebanking/transfer?amount=5000&accountNumber=425654

Consider the case where the img tag is useable. In this case, the attacker sends an email containing an image to Bob. Once downloaded, the Bob browser automatically opens the URL in the img tag. As a result, without Bob’s intervention, an unwanted request will be sent to the bank’s website if Bob has an active session on samplebank.com. The site recognizes this URL as a money transfer request from Bob, and then the desired amount is transferred to the account specified by the attacker.

  • This attack will only be successful if the user has an active session on a vulnerable website.
  • The attacker must find a valid URL to manipulate it intentionally. The desired URL needs to change the status of the target site.
  • Finally, the attacker must find the appropriate values ​​of the URL parameters. Otherwise, the target website may reject the malicious request.

Laravel has developed an easy Protection solution to protect against CSRF attacks. CSRF protection in Laravel is such that the program generates a CSRF token for each active user in the application. This token is for verifying whether a natural person is sending the request.

Whenever you create an HTML form known as a <form> tag on the page, you must insert the CSRF token so that the Laravel protection can approve the request. Failure to do so will result in your request being rejected or rejected. To do this, just put the phrase @CRFF inside your form tag. Like the following code:

< form method = “POST” action = “/ profile” >  

  @csrf    

</ form >

The VerifyCsrfToken middleware, part of the web middleware group, automatically verifies whether the token in the request matches the token stored in the session.

Prevent CSRF attacks in PHP

Here are some ways to prevent such damage in PHP.

Prevent CSRF attacks in Laravel by checking the page header

This checking can help prevent CSRF attacks. If the request reached there from another domain, it must be fake, so it must be blocked.

Prevent CSRF attacks on Laravel by capturing captcha on forms

Captcha authentication is an excellent way to prevent attacks on forms. Initially, a captcha authentication process was going under development to avoid bots. But in addition, captcha is useable to avoid attacks. The attacker cannot guess the pattern because the captcha is randomly generatable on the user side. Therefore, he will never send the correct captcha with a fake request, and all counterfeit requests will be blocked. Note that this method is not very user-friendly. Most users do not like to fill in many captions on the website, so we should try to prevent it without adding an extra burden.

Prevent CSRF attacks on Laravel using tokens

The use of tokens is the safest way to prevent attacks. Unlike the captcha method, this method has nothing to do with users, so users never know something is there to protect them. In this way, the website generates a random token in each form as a hidden value. This token is associated with user sessions. After submitting the state, the website checks to see if a random permit is requested.

Using this method, developers can quickly identify whether an attacker made the request.

Protect against CSRF attacks using the NoCSRF class

NoCSRF is a simple, counter-attack CSRF class that generates tokens. You can also use the simple and numerous examples in the NoCSRF GateHub account to learn how to implement this class on your website. 

Protect against CSRF attacks using the csrf class by Skookum

csrf by Skookum is another PHP class for CSRF protection. This class is free and available to everyone. You can copy and paste it into your web application. See the csrf by Skookum gate hub page for more details. 

Protect against CSRF attacks using the anti surf library

Anti surf is a small PHP library that can prevent CSRF attacks on web applications. The library claims to be a potent protector against such attacks. It also uses a disposable token that has a time limit. You can download it and get more information by visiting the anti-surf site.

How to create a CSRF attack? 

Manually creating the HTML required for a CSRF attack can be time-consuming. Especially in cases where the request has many parameters or other items in the request. The easiest way to create a CSRF attack is to use the CSRF PoC generator (a tool for more accessible attack design) in the Burp Suite Professional toolkit.

Follow these steps to create a CSRF attack:

  • Select any application you want to test in Burp Suite Professional.
  • Right-click on the menu and select Engagement tools / Generate CSRF PoC.
  • Using Burp Suite, you can create HTML that triggers selected requests (minus cookies, which are automatically added by the victim browser).
  • To fine-tune different aspects of the attack, you can change other options in the CSRF PoC generator.
  • Finally, copy the generated HTML to a web page. Then view it in the browser where the vulnerable website is there. Then check if the request was successful.

Disable CSRF on specific routes in Laravel

We may need to disable CSRF in Laravel in specific routes depending on the circumstances. To do this, go to the VerifyCsrfToken file via the following path.

\ App \ Http \ Middleware \ VerifyCsrfToken

There is an array except $ in this class. To disable CSRF in specific paths, just put the desired URL in this array. Once this is ok, the chosen ways are from the CSRF review in Laravel.

Why should we use CSRF Protection in Laravel?

In this article, we have tried to fully describe CSRF attacks, how they work and how to prevent such injuries. Note that this security hole is one of the most severe harms to a website, which can be very dangerous and can destroy a business overnight if you do not follow the security steps. If you use Laravel, you can easily prevent such attacks by using the CSRF Protection feature in Laravel.

If you know of other ways to defend against CSRF attacks, we’d love to share them with other users of the SunLearn website in the comments section.