Is CSRF still a relevant attack vector?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
1
down vote

favorite












CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.



For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.



So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.










share|improve this question





























    up vote
    1
    down vote

    favorite












    CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
    But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.



    For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.



    So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.










    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
      But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.



      For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.



      So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.










      share|improve this question















      CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
      But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.



      For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.



      So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.







      web-application csrf






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 1 hour ago









      Anders

      45.5k21127152




      45.5k21127152










      asked 4 hours ago









      rdmueller

      87311014




      87311014




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          2
          down vote














          ... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




          CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.



          Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.



          Therefore proper CSRF protection is still needed today.



          What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.






          share|improve this answer






















          • Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like <img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
            – rdmueller
            3 hours ago

















          up vote
          1
          down vote













          If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.



          https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f



          CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.



          As always; remember to patch your systems kids






          share|improve this answer








          New contributor




          Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.

















          • thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
            – rdmueller
            4 hours ago

















          up vote
          1
          down vote














          Cookies and headers needed for authentication are not sent by default in cross site requests.




          That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.




          For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.




          Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?




          So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




          Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.



          In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194936%2fis-csrf-still-a-relevant-attack-vector%23new-answer', 'question_page');

            );

            Post as a guest






























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote














            ... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




            CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.



            Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.



            Therefore proper CSRF protection is still needed today.



            What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.






            share|improve this answer






















            • Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like <img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
              – rdmueller
              3 hours ago














            up vote
            2
            down vote














            ... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




            CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.



            Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.



            Therefore proper CSRF protection is still needed today.



            What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.






            share|improve this answer






















            • Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like <img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
              – rdmueller
              3 hours ago












            up vote
            2
            down vote










            up vote
            2
            down vote










            ... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




            CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.



            Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.



            Therefore proper CSRF protection is still needed today.



            What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.






            share|improve this answer















            ... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




            CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.



            Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.



            Therefore proper CSRF protection is still needed today.



            What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 4 hours ago

























            answered 4 hours ago









            Steffen Ullrich

            107k12182247




            107k12182247











            • Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like <img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
              – rdmueller
              3 hours ago
















            • Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like <img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
              – rdmueller
              3 hours ago















            Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like <img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
            – rdmueller
            3 hours ago




            Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like <img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
            – rdmueller
            3 hours ago












            up vote
            1
            down vote













            If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.



            https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f



            CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.



            As always; remember to patch your systems kids






            share|improve this answer








            New contributor




            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

















            • thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
              – rdmueller
              4 hours ago














            up vote
            1
            down vote













            If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.



            https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f



            CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.



            As always; remember to patch your systems kids






            share|improve this answer








            New contributor




            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

















            • thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
              – rdmueller
              4 hours ago












            up vote
            1
            down vote










            up vote
            1
            down vote









            If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.



            https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f



            CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.



            As always; remember to patch your systems kids






            share|improve this answer








            New contributor




            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.



            https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f



            CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.



            As always; remember to patch your systems kids







            share|improve this answer








            New contributor




            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            share|improve this answer



            share|improve this answer






            New contributor




            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            answered 4 hours ago









            Juliette Moss

            111




            111




            New contributor




            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





            New contributor





            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.






            Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.











            • thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
              – rdmueller
              4 hours ago
















            • thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
              – rdmueller
              4 hours ago















            thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
            – rdmueller
            4 hours ago




            thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
            – rdmueller
            4 hours ago










            up vote
            1
            down vote














            Cookies and headers needed for authentication are not sent by default in cross site requests.




            That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.




            For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.




            Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?




            So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




            Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.



            In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.






            share|improve this answer
























              up vote
              1
              down vote














              Cookies and headers needed for authentication are not sent by default in cross site requests.




              That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.




              For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.




              Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?




              So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




              Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.



              In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.






              share|improve this answer






















                up vote
                1
                down vote










                up vote
                1
                down vote










                Cookies and headers needed for authentication are not sent by default in cross site requests.




                That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.




                For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.




                Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?




                So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




                Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.



                In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.






                share|improve this answer













                Cookies and headers needed for authentication are not sent by default in cross site requests.




                That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.




                For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.




                Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?




                So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.




                Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.



                In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 1 hour ago









                Anders

                45.5k21127152




                45.5k21127152



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194936%2fis-csrf-still-a-relevant-attack-vector%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke