What is CSRF?
malicious website tricks a user’s browser into sending unauthorised commands to a trusted website where the user is already logged in
What external elements could be used in CSRF?
Ad
Form
Chunk of JS
iFrame
CSRF Scenario
- User logged into bank website
- While logged in, user visits malicious website
- Malicious website secretly sends an unwanted request e.g., send money to attacker
- Because browser automatically includes user’s session cookies, bank thinks user requested the transfer
CSRF Mitigation
CSRF Tokens
SameSite Cookies
User Interaction
Web dev framework
CSRF Mitigation: CSRF Tokens
Random hidden tokens that all requests must send and must match server values
CSRF Mitigation: SameSite Cookies
Tell browsers not to send cookies with cross-site requests
CSRF Mitigation: User Interaction
Re-authenticate or ‘Are you sure?’ confirmations
CSRF Mitigation: Web Dev Framework
Use well-know ones with CSRF protection. Keep up-to-date and subscribe to security bulletins
What is SSRF?
App fetches remote resource without URL validation, leads to attacker gaining access to internal systems
How SSRF works?
- Attacker supplies/modifies URL
- Code running on server will read or submit data
- Allows attacker to read server config, e.g. AWS metadata
- Attacker can connect to internal services like HTTP-enabled database or perform POST requests towards internal services
Blind SSRF
malicious party has limited control over actual packets sent by server and/or server return nothing to malicious party
Non-blind SSRF
server returns data to malicious party
How is the web server used as a tool in SSRF?
Acts as a proxy for malicious attacker hiding true actor. Used for unauthenticated requests, protocol smuggling and data exfiltration.
SSRF Mitigation
only allow whitelisted safe domains
Block internal IP ranges
Disable unnecessary outbound connections
Use network segmentation - stop web servers reach internal services
