CSRF Attacks & Logins: What You Need to Know

TL;DR

Yes, CSRF (Cross-Site Request Forgery) attacks can steal login information indirectly. They don’t directly grab passwords but trick a logged-in user into performing actions they didn’t intend, like changing their password or logging out, allowing an attacker to gain control.

What is CSRF?

Imagine you’re logged into your online banking. A malicious website contains hidden code that sends a request to your bank asking it to transfer money. Because you’re already logged in, the bank might process this request as if you initiated it. That’s CSRF.

How CSRF Attacks Work

1. User Logs In: You log into a trusted website (e.g., your email provider).
2. Malicious Website: You visit another, malicious website. This site contains harmful code.
3. Forged Request: The malicious website creates a request that mimics a legitimate action on the trusted website (e.g., changing your password).
4. Automatic Submission: Your browser automatically sends this forged request to the trusted website along with your cookies, because you’re already logged in.
5. Action Executed: The trusted website processes the request as if it came from you.

Can CSRF Steal Login Credentials Directly?

Not usually. CSRF doesn’t directly steal your username and password. However, it can:

• Change Your Password: An attacker could change your password, locking you out of your account.
• Log You Out: Forcing a logout can allow the attacker to attempt brute-force attacks or phishing attempts while you’re not actively using the service.
• Make Account Changes: Altering email addresses or other security settings can give the attacker control.

How to Protect Against CSRF Attacks

1. CSRF Tokens: This is the most common and effective defense.
   • A unique, secret token is generated by the server for each user session.
   • This token is included in every form submission or request that modifies data.
   • The server verifies this token before processing the request. If the token is missing or invalid, the request is rejected.

   Example (simplified PHP):

   ';
   ?>

   On the server-side, you would check:

2. SameSite Cookies: This browser feature helps prevent CSRF attacks by controlling when cookies are sent with cross-site requests.
   • Strict: Only send the cookie if the site matches exactly. Most secure, but can break legitimate cross-site functionality.
   • Lax: Send the cookie for same-site requests and top-level navigation (e.g., clicking a link). Good balance of security and usability.
   • None: Send the cookie with all requests, but requires Secure attribute (HTTPS only).

   Example (setting in PHP):

    'Lax', 'secure' => true, 'httponly' => true]);
   ?>

3. Double Submit Cookie: Set a random value in both a cookie and a form field. The server verifies that the values match.
4. Check the Origin Header: Verify that the request originated from your domain. However, this isn’t foolproof as it can be spoofed in some cases.

What Can You Do As a User?

• Keep Your Browser Updated: Updates often include security fixes.
• Be Careful What You Click: Avoid suspicious links and websites.
• Use Strong Passwords & Two-Factor Authentication (2FA): This adds an extra layer of security even if your password is compromised.