More specifically, the goal of a CSRF attack is to send unauthorized commands from a user to a website. For example, commands are often linked to a specific URL: http://www.bonds?buy=1000&bond=ABC.
Certainly any site that performs actions based on input from authenticated or trusted users is at risk. Because a website can't tell whether a user intended to send a request, these attacks are difficult to defend against unless the site requires every user to authorize every action.
To make CSRF attacks harder to execute, your site should check the Referer header in each request, which reveals the address of the webpage. More importantly, critical requests, such as account login or purchase instructions, must include user-specific secret authentication values like characters from a password that the attacker can't guess. If the attacker can't determine the right values for all of a form's inputs, the attack will fail. Sites should also limit the lifetime of authentication cookies and not solely rely on them when processing form submissions or requests. To prevent forged login requests, sites should use these countermeasures even before the user is logged in. Sites should also be tested for cross-site scripting vulnerabilities as these are often used to inject a CSRF attack into a webpage.
Although browsers are the most common means to execute these attacks, the CSRF vulnerability is not solely limited to them. An attacker can just as easily embed attacks into any document that allows scripting, such as a Word document or Flash file. Given that individuals can do relatively little to protect themselves against these attacks, does the responsibility fall to vendors to fix this problem? There is always a case for browser and application vendors making their products more secure, but security must be balanced against usability. Would you really want to be forced to click "OK" every time you clicked on a link or "Submit" button? I think in this instance, website developers must assess the type of requests their applications are likely to process and implement authentication methods appropriate to the data or instructions in each of them.
Dig Deeper on Web Browser Security
Related Q&A from Michael Cobb
Pretty Good Privacy is nearly 25 years old and still widely used -- but is it as effective as it once was? Application security expert Michael Cobb ...continue reading
Homomorphic encryption can be used to bypass encryption, but it's for the good of all. Application security expert Michael Cobb explains.continue reading
Security expert Michael Cobb discusses the next iteration of HTTP -- HTTP/2 -- including how it's different from HTTP and how enterprises should ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.