More specifically, the goal of a CSRF attack is to send unauthorized commands from a user to a website. For example,...
commands are often linked to a specific URL: http://www.bonds?buy=1000&bond=ABC.
Certainly any site that performs actions based on input from authenticated or trusted users is at risk. Because a website can't tell whether a user intended to send a request, these attacks are difficult to defend against unless the site requires every user to authorize every action.
To make CSRF attacks harder to execute, your site should check the Referer header in each request, which reveals the address of the webpage. More importantly, critical requests, such as account login or purchase instructions, must include user-specific secret authentication values like characters from a password that the attacker can't guess. If the attacker can't determine the right values for all of a form's inputs, the attack will fail. Sites should also limit the lifetime of authentication cookies and not solely rely on them when processing form submissions or requests. To prevent forged login requests, sites should use these countermeasures even before the user is logged in. Sites should also be tested for cross-site scripting vulnerabilities as these are often used to inject a CSRF attack into a webpage.
Although browsers are the most common means to execute these attacks, the CSRF vulnerability is not solely limited to them. An attacker can just as easily embed attacks into any document that allows scripting, such as a Word document or Flash file. Given that individuals can do relatively little to protect themselves against these attacks, does the responsibility fall to vendors to fix this problem? There is always a case for browser and application vendors making their products more secure, but security must be balanced against usability. Would you really want to be forced to click "OK" every time you clicked on a link or "Submit" button? I think in this instance, website developers must assess the type of requests their applications are likely to process and implement authentication methods appropriate to the data or instructions in each of them.
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
The development of WPA3 helps advance Wi-Fi protocol, as the next generation of Wi-Fi-enabled devices begins to demand more. Expert Michael Cobb ... Continue Reading
An increase of IoT botnets has been seen since the Mirai malware source code was leaked. Learn how the new variants pose to be a serious threat to ... Continue Reading
Android Pixel vulnerabilities could open the smartphone up to attack. Expert Michael Cobb explains the vulnerabilities and how to defend against them. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.