More specifically, the goal of a CSRF attack is to send unauthorized commands from a user to a website. For example,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
commands are often linked to a specific URL: http://www.bonds?buy=1000&bond=ABC.
Certainly any site that performs actions based on input from authenticated or trusted users is at risk. Because a website can't tell whether a user intended to send a request, these attacks are difficult to defend against unless the site requires every user to authorize every action.
To make CSRF attacks harder to execute, your site should check the Referer header in each request, which reveals the address of the webpage. More importantly, critical requests, such as account login or purchase instructions, must include user-specific secret authentication values like characters from a password that the attacker can't guess. If the attacker can't determine the right values for all of a form's inputs, the attack will fail. Sites should also limit the lifetime of authentication cookies and not solely rely on them when processing form submissions or requests. To prevent forged login requests, sites should use these countermeasures even before the user is logged in. Sites should also be tested for cross-site scripting vulnerabilities as these are often used to inject a CSRF attack into a webpage.
Although browsers are the most common means to execute these attacks, the CSRF vulnerability is not solely limited to them. An attacker can just as easily embed attacks into any document that allows scripting, such as a Word document or Flash file. Given that individuals can do relatively little to protect themselves against these attacks, does the responsibility fall to vendors to fix this problem? There is always a case for browser and application vendors making their products more secure, but security must be balanced against usability. Would you really want to be forced to click "OK" every time you clicked on a link or "Submit" button? I think in this instance, website developers must assess the type of requests their applications are likely to process and implement authentication methods appropriate to the data or instructions in each of them.
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Geofencing technology is increasingly being used as a security tactic, such as to control access to servers with DNS settings. Expert Michael Cobb ...continue reading
After a remote code execution flaw in PHPMailer was patched, the problem persisted, and had to be repatched. Expert Michael Cobb explains how the ...continue reading
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.