While learning to construct forms and validators in the Symfony tutorial, I came across something of interest - Cross-Site Request Forgery (CRSF). CSRF is a technique where a malicious attacker exploits a website's trust of a user to transmit unintended data. This is unlike cross-site scripting (XSS) where a malicious attacker exploits the user's trust in the website to launch scripts on the user's computer.
Example of CSRF:
Let's say a fictitious bank called "ABC Bank" has a website that is vulnerable to CSRF. A malicious attacker may then send a spoof email to an unwitting customer of ABC Bank with a form (or just a link) and fool the victim into submitting the seemingly harmless form. If the victim is logged into the bank website at that particular moment, it is possible for the malicious attacker to send instructions in the background to commit certain bank transactions without the user's consent.
The Good News
Fortunately, we can prevent CSRF attacks our websites by using CSRF tokens inside our forms. What's even better is that Symfony does this by default and we need not do anything extra in order to be protected from CSRF. How it works is that Symfony embeds a CSRF token in every form on our website and this CSRF token is made known only to the user (in the form of a hidden field on the website). When the form is submitted, Symfony checks for the presence and validity of this token to ensure that the form was in fact submitted on the legitimate website and not anywhere else. If a malicious attacker attempts to craft a similar form on his/her website, the form would not have a valid CSRF token and submitting the form on the malicious website would not result in any valid transactions on the legitimate website. Therefore, the user is automatically protected from CSRF attacks.
Moral of the Story:
If your website contains important forms and you respect good security, make sure that your website has some form of CSRF protection. The easiest way might be to view the source code of any form on your website to see if it contains a CSRF token (see below).
Example of CSRF:
Let's say a fictitious bank called "ABC Bank" has a website that is vulnerable to CSRF. A malicious attacker may then send a spoof email to an unwitting customer of ABC Bank with a form (or just a link) and fool the victim into submitting the seemingly harmless form. If the victim is logged into the bank website at that particular moment, it is possible for the malicious attacker to send instructions in the background to commit certain bank transactions without the user's consent.
The Good News
Fortunately, we can prevent CSRF attacks our websites by using CSRF tokens inside our forms. What's even better is that Symfony does this by default and we need not do anything extra in order to be protected from CSRF. How it works is that Symfony embeds a CSRF token in every form on our website and this CSRF token is made known only to the user (in the form of a hidden field on the website). When the form is submitted, Symfony checks for the presence and validity of this token to ensure that the form was in fact submitted on the legitimate website and not anywhere else. If a malicious attacker attempts to craft a similar form on his/her website, the form would not have a valid CSRF token and submitting the form on the malicious website would not result in any valid transactions on the legitimate website. Therefore, the user is automatically protected from CSRF attacks.
Moral of the Story:
If your website contains important forms and you respect good security, make sure that your website has some form of CSRF protection. The easiest way might be to view the source code of any form on your website to see if it contains a CSRF token (see below).
 |
| An example of a form that contains a CSRF token |
Comments
Post a Comment