Manage Learn to apply best practices and optimize your operations.

Preventing cross-site request forgery attacks

Application security expert Michael Cobb explains how to stop cross-site request forgery attacks.

How can website owners be preventing cross-site request forgery attacks, and do you think these defenses should be taken on by browser vendors?
Cross-site request forgery (CSRF) is interesting in that it exploits the way a website executes requests from a user. It assumes or "trusts" that the action is what the user wants to do. Cross-site request forgery attacks are the opposite of a cross-site scripting attack, which exploits how users trust the content being displayed by a website. There are some well-documented examples of how powerful a CSRF attack can be. About 18 million eBay users in Korea, for example, lost personal information in 2008 to a CSRF attack, and customers of a bank in Mexico were rerouted to a different website, thanks to a malicious email's image tag.

More specifically, the goal of a CSRF attack is to send unauthorized commands from a user to a website. For example,...

commands are often linked to a specific URL: http://www.bonds?buy=1000&bond=ABC.

If the attacker can force the browser to send this request while the user is logged into his or her account, the website will carry out the request. Typically an attacker will embed JavaScript code directly into an email or webpage, utilizing a cross-site scripting flaw in order to request a specific "task url," which will then execute without the user's knowledge. The attack is invisible to its victims so an attacker can experiment almost indefinitely to try to craft a successful attack.

Certainly any site that performs actions based on input from authenticated or trusted users is at risk. Because a website can't tell whether a user intended to send a request, these attacks are difficult to defend against unless the site requires every user to authorize every action.

To make CSRF attacks harder to execute, your site should check the Referer header in each request, which reveals the address of the webpage. More importantly, critical requests, such as account login or purchase instructions, must include user-specific secret authentication values like characters from a password that the attacker can't guess. If the attacker can't determine the right values for all of a form's inputs, the attack will fail. Sites should also limit the lifetime of authentication cookies and not solely rely on them when processing form submissions or requests. To prevent forged login requests, sites should use these countermeasures even before the user is logged in. Sites should also be tested for cross-site scripting vulnerabilities as these are often used to inject a CSRF attack into a webpage.

Although browsers are the most common means to execute these attacks, the CSRF vulnerability is not solely limited to them. An attacker can just as easily embed attacks into any document that allows scripting, such as a Word document or Flash file. Given that individuals can do relatively little to protect themselves against these attacks, does the responsibility fall to vendors to fix this problem? There is always a case for browser and application vendors making their products more secure, but security must be balanced against usability. Would you really want to be forced to click "OK" every time you clicked on a link or "Submit" button? I think in this instance, website developers must assess the type of requests their applications are likely to process and implement authentication methods appropriate to the data or instructions in each of them.

This was last published in July 2009

Dig Deeper on Web browser security