What category does Cross-Site Request Forgery belong to?

Cross-Site Request Forgery belongs to the "Concepts" category in personal knowledge management and productivity.

What are the key topics related to Cross-Site Request Forgery?

Key topics related to Cross-Site Request Forgery include: security, attacks, web-security, vulnerabilities, authentication.

What are alternative names for Cross-Site Request Forgery?

Cross-Site Request Forgery is also known as: Cross-Site Request Forgery, XSRF, Sea Surf.

Cross-Site Request Forgery

An attack that tricks users into performing unwanted actions on websites where they're authenticated

Also known as: Cross-Site Request Forgery, XSRF, Sea Surf

Category: Concepts

Tags: security, attacks, web-security, vulnerabilities, authentication

Explanation

Cross-Site Request Forgery (CSRF or XSRF) is a web security vulnerability that tricks authenticated users into performing unintended actions on a web application. The attack exploits the trust that a site has in the user's browser by leveraging existing authentication credentials (such as session cookies) to execute unauthorized commands. Because browsers automatically include cookies with requests, malicious websites can trigger actions on other sites where users are logged in.

CSRF attacks work by crafting requests that appear legitimate to the target application. An attacker might embed a hidden form or image tag on their malicious page that submits a request to a banking site when visited. If the victim is logged into their bank, the forged request executes with their privileges, potentially transferring funds or changing account settings. The attack can be delivered through emails, forum posts, or compromised websites.

Notable CSRF exploits include the 2008 Netflix vulnerability that allowed attackers to change account details. The 2007 Gmail filter vulnerability enabled attackers to forward all emails to themselves. Banking trojans have combined CSRF with other techniques to perform unauthorized transactions. Even tech giants like Google and Facebook have patched numerous CSRF vulnerabilities over the years.

Defenses include implementing anti-CSRF tokens (synchronizer tokens) that validate request authenticity, using SameSite cookie attributes to prevent cross-origin cookie transmission, requiring re-authentication for sensitive actions, implementing custom request headers (which can't be set cross-origin), checking Origin and Referer headers, and employing the double-submit cookie pattern for stateless applications.

Related Concepts

← Back to all concepts