# **CSRF (Cross-Site Request Forgery) :**

 * vulnerability that attackers can exploit to trick authenticated users into performing actions on a website that the user doesn't actually intend to do

 * CSRF attacks specifically target state-changing requests, like sending tweets and modifying user settings, instead of requests that reveal sensitive user info

 * **How Does it Works ?**

     * The attacker sets up a malicious website, email, or even a social media post and tricks the victim user into visiting their malicious site or clicking a link (Through Social Engineering Tactics)

         * ```Example For Malicious Website For Bank Transfer :```

             ```htm
             <!DOCTYPE html>
             <html>
             <head>
                 <title>Fake Transfer Page</title>
             </head>
             <body>
                 <h1>Looks like a real bank transfer page!</h1>
                 <img src="https://bank.com/transfer?amount=1000&recipient=attacker&csrftoken=" alt="Click to transfer">

                 <form action="https://bank.com/transfer" method="POST" style="display:none;" id="autosubmit">
                     <input type="hidden" name="amount" value="1000">
                     <input type="hidden" name="recipient" value="attacker">
                     <input type="hidden" name="csrftoken"            value="PLACEHOLDER_FOR_CSRF_TOKEN">
                 </form>
                 <script>
                    document.forms["autosubmit"].submit();
                 </script>
             </body>
             </html>
             ```

     * When the user visits the attacker's site, their browser unknowingly sends along any cookies or credentials it has stored for trusted sites
 
  

***
***
***

# **Mitigation :**

 * **CSRF Tokens :**

     * involves generating (on the server-side) a unique, unpredictable token for each user session Included in every request that modifies application data 

     * The server validates the presence and validity of the token before processing the request

***

 * **SameSite Cookie :**


     * This attribute helps the browser decide whether to send cookies along with cross-site requests 

         ```Set-Cookie: JSESSIONID=xxxxx; SameSite=OPTIONS```

     * **Options :**

         1) **Strict :**

             * Blocks cookies from being sent with cross-site requests even when following a regular link


         2) **Lax :**

             * Allows cookies to be sent with cross-site requests made through normal browsing (clicking links) but not with other types of requests (like XHR or form submissions from third-party sites) 


         3) **None :**
         
             * Disables SameSite restrictions  (not recommended for CSRF protection)   

***  

 * **Referrer-Based Protection :**


     * involves checking the Referer header sent by the browser with the request

     * By checking if the Referer header originates from your trusted domain, you can potentially identify CSRF attempts coming from external sources


***

 * **Double Submit Cookies :**

     * involves sending two cookies with every request :

         * A session cookie containing the user's authentication information

         * A separate, short-lived CSRF cookie with a random value


     * The server validates that both cookies are present and their values match before processing the request  


***

 * **Custom Request Headers :**

     * You can implement custom headers that only your application recognizes and expects in specific requests

         ```X-YOURSITE-CSRF-PROTECTION=1```

     * These headers would be included in legitimate requests from your application's forms but wouldn't be present in requests forged by an attacker



***
***
***

# **Bypassing Mitigation Techniques :**

 * **Bypassing CSRF Token :**

     * Deleting the token parameter or sending a blank token parameter 

     * Submitting the request with another session’s CSRF token 

         * Some applications might check only whether the token is valid, without confirming that it belongs to the current user 


     * Exploit a XSS vulnerability to steal the CSRF token from the user's browser after it's sent by the server     


***

 * **Bypassing SameSite Cookie :**

     * If the SameSite attribute is set to 'Lax', an attacker might be able to trick the user into clicking a link that initiates a CSRF attack

     * if the site allows state-changing requests with the GET HTTP method, third-party sites can attack users by creating CSRF with a GET request


***

 * **Bypassing Referer Header Checks :**

     * Try to remove the referer header

         * To remove the referer header, add a < meta > tag to the page hosting your request form

             ```<meta name="referrer" content="no-referrer">```


     * try to bypass the logic check used to validate the referer URL

         * Let’s say the application looks for the string "example.com" in the referer URL, and if the referer URL contains that string, the application treats the request as legitimate. Otherwise, it rejects the request

         * In this case, you can bypass the referer check by placing the victim domain name in the referer URL as a subdomain. You can achieve this by creating a subdomain named after the victim’s domain, and then hosting the malicious HTML on that subdomain  

             ```Referer: example.com.attacker.com```


         * You can also try placing the victim domain name in the referer URL as a pathname

             ```Referer: attacker.com/example.com```


***

* **Bypassing Double Submit Cookies :**

     * Using Session Fixation :

         *  If an attacker can steal or fixate the user's session cookie, they might be able to bypass the CSRF cookie validation as they would possess both required cookies 
            
