Cross-Site Request Forgery (CSRF) is an attack that attempts to get a user to perform adverse actions on a site that he or she is currently logged in which lacks transactions processing. Once a user is authenticated on a site there is no way for it to distinguish between legitimate requests from malicious ones. Such intrusions require knowledge of the proper way to submit a request, but if successful a request could accomplish any allowable function such as making a purchase or retrieving account information. CSRFs can be initiated by a malicious web site, email, blog or instant message that generates rogue HTTP requests from an authenticated user’s browser without the user’s permission.
How then can we prevent CSRFs? It is not enough to make use of mechanisms such as secret cookies, multi-step transactions, URL rewriting and or only using POST requests. Rather one reliable way to prevent CSRFs is to use what is called a Synchronizer Token Pattern which creates a challenge token with each request. This token is always verified by the application on the server and once the session ends the token expires. A second method is known as Double Submit Cookies that transmits cookies in two different ways, through the regular header request and as a hidden form value. A third method makes use of a Challenge-Response mechanism that could include the use of CAPTCHA, password re-authentication or one-time tokens. These Challenge-Response methods would be the best for use in applications needing the greatest security.
Several function libraries have been created which incorporate defenses against CSRF attacks including:
Direct Web Remoting (DWR) Java Library 2.0
OWASP CSRF Guard (For Java)
PHP CSRF Guard
.Net CSRF Guard
There are also ways users can avoid CSRF attacks by:
- Log off web applications immediately when finished.
- Not saving user names and passwords in a browser.
- Using one browser for accessing secure applications and a different browser for general web surfing.
For more information see:
Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
Cross-site request forgery