OWASP Top Ten Web Application Vulnerabilities #4: Cross-Site Request Forgery (CSRF)

Cross-site request forgery or CSRF is a type of web application vulnerability wherein hackers trick authenticated users of your websites to submit information to a web application on behalf of the hacker without the legitimate user being aware of the fact. What the CSRF attack does is to trick the legitimate user into loading a hacker’s web page that uses the legitimate user’s credentials to perform malicious actions, masquerading as the user. For example, a successful CSRF attack will enable a hacker to use to purchase something and ship them to the hacker, using your own account.

There are many ways in which a hacker uses a CSRF attack to piggyback on the identities of legitimate users. Hackers intercept the user’s URL to and modify the URL so instead of, say a user depositing money in her Mom’s account, for example, the information in the URL instructs the bank’s we b application to deposit money into the hacker’s account. The hacker then sends an email to the victim, which, when the victim clicks on it, processes the banking transaction, all without the victim’s knowledge. In other words is a hijacking of the legitimate user’s connected session with the bank.

Forged requests such as the one explained here are hard to distinguish from legitimate requests. Fortunately, you can detect CSRF flaws in your web applications through penetration testing of the apps or by a code analysis. OWASP also offers the CSRF Tester, an open source tool, to generate test cases. You test for CSRF web application flaws by checking if each link and form in the app contains an unpredictable token for each user of the app. You can prevent CSRF attacks by including a unique token in a hidden field in a form you avoid including it in an URL, where the token can prevent hackers from using the legitimate user’s authenticated connection session.

Leave a Comment

Your email address will not be published. Required fields are marked *