Cross Site Forgery, or cross site request forgery (CSRF), is a web based attack where a malicious web site, instant message, email, or program causes the victim’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
For example, let’s say I am logged into my bank account, or cookie information is stored from a recent login, and I click on a malicious link.
As a result, the link causes me to transfer money from my account (which I am logged into) to the attacker’s. Since this attack only requires a quick click of a malicious link, it is also known as a one-click attack.
Preventing Cross Site Request Forgery on Your Websites
Steps can be taken by both users and web sites to prevent cross-site forgery from taking place. The user can:
- Avoid clicking on links from an untrusted source
- Immediately logging off after using a Web application so that the session no longer remains open
- Not allowing browsers or websites to remember their login information through cookies or other methods
- Use one browser for general web browsing and a separate browser for viewing confidential/sensitive websites
Security techniques can also be put in place by a web developer to prevent cross-site forgery attacks against visitors to a given website. When developing web sites, you may want to consider any of the following techniques that will prevent attackers from exploiting a CSRF vulnerability:
- Requiring authentication in GET and POST parameters during the browser/server exchange, not only cookie information
- Require cookie information to be double submitted, once through the header value and a second time in a hidden form value
- Employ the use of a challenge/response such as Captcha
- Check the HTTP referrer header – note that the web browser will omit the referrer header when being sent over HTTPS
- Use a prevention framework such as OWASP CSRF Guard, PHP CSRF Guard, or .Net CSRF Guard
Cross site forgery attacks work because the victim is authenticated via cookie information, IP address, or other method. While it may seem that the responsibility to mitigate such attacks lies on the user, the damage done to a business that does not protect visitors from this type of attack can be devastating to the company’s reputation. As the Internet and social media make it easier for disgruntled customers to report negative experiences they have with a company and security vendors have launched products that grade a website’s reputation for delivering spam and malware the need to protect your reputation online is greater than ever. To have your website identified as being vulnerable to cross site request forgery exploits can seriously hurt how your company does business on the web.
While cross site forgery attacks may not make the news as frequently as other attacks, they are consistently listed on the OWASP Top Ten list as one of the most damaging vulnerabilities that plague websites and any steps possible should be taken to mitigate this threat from affecting your website’s visitors.