A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Cross-site Request Forgery

A malicious exploit that allows an unauthorized request on behalf of an authenticated user on a website.

Cross-site request forgery (CSRF) is a malicious exploit that allows an unauthorized request on behalf of an authenticated user on a website. This attack is also known as "session riding" or "one-click attack" and is commonly pronounced as "sea-surf". CSRF attacks are made possible through cross-site scripting or through a link sent in an email or messenger chat.

In order for CSRF to work, a user must be logged in or authenticated. The attacker then uses the authentication to make a request on behalf of the verified user. This is where the attack becomes difficult. The attacker has to make sure the user is logged in or be able to know that cookies exist that keep the user logged in for a period of time. The attack is based on tricking the browser to submit a valid URL to the website, such as one that is written in a way that authorizes a transfer from the valid user's bank account to the attacker's account. Since the request is being made using valid online credentials the request will go through just as if the user did it herself.

The attack is by no means easy to carry out, but once achieved, it is particularly hard to prove that you did not make such a request. A CSRF attack can also cause users to subscribe to services, newsletters, retrieve confidential information and change their password, among other inconveniences. A sub attack of CSRF, known as Login CSRF, forges requests to log a victim into a website using their credentials.

Protective Measures

Unfortunately this vulnerability is within browsers and websites. Many of the best preventative measures are implemented during the design of a website. However, the following measures will help to reduce the risk of an exploit.

Practices

  • Log out of a website when not in use: Many websites provide the option to keep users logged in, whether indefinitely or for a period of time. As much as possible, try not to use this option.
  • Do not save usernames and passwords in your browser: Do not choose this option after signing in on your browser. Do not use the "remember me" option for login.
  • Do not click on unknown links: Be careful when clicking on links included in emails, online forums and messenger chats, even if received from someone you trust. If the content of the message seems strange or different from your normal conversation topics with that contact, avoid the link or verify the link with your friend before accessing it.
  • Avoid tabbed browsing: Browser tabs make surfing easier and clutter free. But do not use the same window to browse sensitive information as you use to generally surf the Internet.
  • Private browsing: All major browsers provide the feature of "private browsing". While private browsing does not block tracking, it deletes browsing history and cookies when you close the window. So your browsing history and cookies are not available.

Settings

  • Disable or manage cookies: All browsers allow users to set cookie preferences at any time. By turning off your browser's ability to accept or retain cookies, you will also lose some of the advantages, such as making the website easier to use from remembering your past usage, but it ensures more secure browsing.

Tools

Some browsers do not have built-in mechanism to delete, block or limit CSRF and other scripting attacks. But some add-ons are available that provide settings and options to identify and prevent these attacks.

  • Firefox provides protection through an add-on called RequestPolicy  that allows users to be in control of which cross-site requests are allowed.
  • Chrome's NoScripts  protects against all scripts but requires the user to have a Google account to access and download it.
  • With Internet Explorer, as of version IE8, there is a built-in scripting filter that makes scripting vulnerabilities difficult to exploit.

Ethical Issues

Most of the vulnerabilities that allow for this exploit are made possible through the way a website is created. It is important for organizations and individuals to ensure that their website designers take precautions to mitigate these risks. Customers will trust that a website from a reputable brick-and-mortar company or an established online corporation has been built with security mechanisms in place to protect them, and these organizations have a responsibility ensure this is always the case.

Privacy Issues

Although users enjoy personalized experiences while surfing the Internet, and websites provide users with many ways to make an online experience easier, these same options can be used maliciously to invade your privacy. Be careful of which websites you allow to store your information, and be especially careful when viewing your sensitive information online.

References

My home page