Understanding CSRF, the video tutorial edition

Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re passing anti-forgery tokens to any APIs you wouldn’t want fraudulently called, right?!)

I thought I’d record a quick (ok, half an hour is still quick for me!) and unedited walkthrough of the mechanics of CSRF and how ASP.NET deals with it in both MVC and Web Forms. The .NET bits are just examples of how anti-forgery tokens in hidden form fields and cookies work though so don’t worry if you live in another web stack, it’s the same fundamental defence. Here’s the vid:

For a great example of nasty CSRF and an attack style we’ve seen many times before now, check out how an attack campaign compromised 300,000 home routers, alters DNS settings.

If you’d like to have a play with CSRF yourself, that form I used in the vid is here:

The site I use to demo it is here:

If you’d like to read about CSRF in more detail, check out my 2010 post (crikey, is it that long already?!) on OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF). If you have Pluralsight access, it’s in my course of the same name for the .NET folks or my Hack Yourself First course if you’d like a technology agnostic view of it. If you don’t have Pluralsight, firstly, what’s wrong with you?! :) And secondly, you can still get three months for free using this one neat trick… enjoy!

Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals