Preventing Cross Site Request Forgery Attacks

Posted: February 4th, 2014
Filed under: IIS & HTTP

What is a Cross Site Request Forgery Attack?

Cross-site request forgery (CSRF or XSRF) is an attack that has been in the OWASP Top 10 since its inception, but is not nearly as talked about as other OWASP lifers like XSS or SQL injection. We’ve decided to give CSRF some needed attention and discuss some ways to mitigate it.

Also known as a “one click attack” or “session riding,” CSRF an exploit very similar to an XSS attack. Rather than an attacker injecting unauthorized code into a website, a cross-site request forgery attack only transmits unauthorized commands from a user that the website or application considers to be authenticated.

Certain websites and applications are at risk: those that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).

Read the rest of this entry »

No Comments »