Top 10 2013-A8-Cross-Site Request Forgery (CSRF) - OWASP
Cross-Site Request Forgery (CSRF) deceives users into unintended actions through forged HTTP requests. Learn prevention methods and example attack scenarios.
Overview
Cross-Site Request Forgery (CSRF) is a web security vulnerability that allows an attacker to trick a victim into performing undesired actions while authenticated on a website. The attacker creates forged HTTP requests and tricks the victim into submitting them, leading to unauthorized state-changing operations.
Description
Cross-Site Request Forgery (CSRF) takes advantage of the fact that most web applications allow attackers to predict the details of a particular action. By creating malicious web pages that generate forged requests indistinguishable from legitimate ones, attackers can deceive users into performing actions they did not intend to take. CSRF flaws are fairly easy to detect through penetration testing or code analysis.
How to Prevent ?
To prevent CSRF attacks, it is recommended to include an unpredictable token in each HTTP request. This token should be unique per user session and can be included in the body of the HTTP request as a hidden field or in the URL itself. Requiring the user to reauthenticate or prove their identity can also provide protection against CSRF. Additionally, utilizing tools like OWASP's CSRF Guard or ESAPI can automatically include CSRF tokens in web applications.
Example Attack Scenarios:
Unauthorized Money Transfer: An attacker constructs a request to transfer money from the victim's account to the attacker's account and embeds this attack in an image request or iframe stored on various sites under the attacker's control. If the victim visits any of the attacker's sites while already authenticated to a target website, the forged requests will automatically include the user's session information, authorizing the attacker's request.