Video: CSRF (Cross Site Request Forgery) Attacks for Non-Infosec Peeps
Video showing a demo from the OWASP page
Everyone is making COVID-19 isolation videos, so I am too! I’ve put together a VERY rudimentary video about how a CSRF attack works. This is just a demo, folks - your bank is very secure, do not worry!
This video isn’t aimed at infosec peeps. If you’re already working in infosec, you probably know all this already.
Sorry about the clicking during some parts of the video. I am hunting that down!
Key points:
CSRF attacks only work against authenticated users logged in to the targeted site. Example, an Acme Bank user that is logged in to their Acme Bank account when they click the CSRF link.
CSRF relies heavily upon phishing: The target user has to be tricked into clicking the link provided through a means like email or text message. Being vigilant against phishing is how users protect themselves.
Following OWASP recommendations for hardening applications against CSRF is how developers protect their users.
This attack would not work against any Canadian bank or Credit Union I am aware of, nor any “big” site like the Amazons and Paypals of the world.
There are thousands of website where it would work, however. Probably mostly small business or non-profit website that are typically developed by people with non-existent or sub-standard website security training.
The “cast of characters” I mention in the video are listed here.