O'Reilly logo

Securing Node Applications by Chetan Karande

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 8. Cross-Site Request Forgery

The cross-site request forgery (CSRF) vulnerability enables an attacker to exploit a victim user’s authenticated session and trick the user into performing any state-changing operation that the victim user is authorized to perform. For example, this attack can result in changing a user password, updating account details, or making purchases without the user knowing.

Attack Mechanics

As the name indicates, an attacker lures a user to visit a cross-site; that is, an externally hosted malicious web page, which typically contains a forged HTML form with hidden fields matching the web page rendered by the target web application.

For example, Example 8-1 shows a malicious web page targeting an admin user of a vulnerable application. It entices the user to click a button, which triggers the form submission. Because the server response goes in a hidden iframe, the victim user doesn’t get any clue about the transaction.

Example 8-1. A malicious web page crafted for a CSRF attack
<form method="POST" action="http://example.com/admin/changeRole"
   target="iframeHidden">
  <h1> You are about to win a brand new iPhone!</h1>
  <h2> Click on the win button to claim it...</h2>
  <input type="hidden" name="accountId" value="67887"/>
  <input type="hidden" name="newRoleId" value="1"/>
  <input type="submit" value="Win !!!"/>
</form>
<iframe name="iframeHidden" width="1" height="1"/>

In this example, when an admin user—who is authorized to escalate the role of other users—clicks ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required