More specifically, the goal of a CSRF attack is to send unauthorized commands from a user to a website. For example, commands are often linked to a specific URL: http://www.bonds?buy=1000&bond=ABC.
Certainly any site that performs actions based on input from authenticated or trusted users is at risk. Because a website can't tell whether a user intended to send a request, these attacks are difficult to defend against unless the site requires every user to authorize every action.
To make CSRF attacks harder to execute, your site should check the Referer header in each request, which reveals the address of the webpage. More importantly, critical requests, such as account login or purchase instructions, must include user-specific secret authentication values like characters from a password that the attacker can't guess. If the attacker can't determine the right values for all of a form's inputs, the attack will fail. Sites should also limit the lifetime of authentication cookies and not solely rely on them when processing form submissions or requests. To prevent forged login requests, sites should use these countermeasures even before the user is logged in. Sites should also be tested for cross-site scripting vulnerabilities as these are often used to inject a CSRF attack into a webpage.
Although browsers are the most common means to execute these attacks, the CSRF vulnerability is not solely limited to them. An attacker can just as easily embed attacks into any document that allows scripting, such as a Word document or Flash file. Given that individuals can do relatively little to protect themselves against these attacks, does the responsibility fall to vendors to fix this problem? There is always a case for browser and application vendors making their products more secure, but security must be balanced against usability. Would you really want to be forced to click "OK" every time you clicked on a link or "Submit" button? I think in this instance, website developers must assess the type of requests their applications are likely to process and implement authentication methods appropriate to the data or instructions in each of them.
This was first published in July 2009