• Cross-site Request Forgery (CSRF) attacks exploit web application vulnerabilities where an attacker sends malicious requests to third party sites through an unsuspecting user’s browser
  • Usually, vulnerabilities in web application (GET/POST/Path parameters) confront this type of an attack, not the victim’s browser of CRPF hosting site

Insecure Code

  • In the code, attackers can manipulate the GET request to view any unauthorized data

Secure Code

  • In the code, the programmer writes code to send error page if user modifies GET requests

Cross-site Request Forgery (CSRF) Countermeasures

  1. Web applications should use strong authentication methods such as cookies, http authentication, etc.
  2. Use page tokens such as time tokens that change with every http or https page request
  3. Appropriately use GET and POST requests
  4. Check the referrer such as HTTP “referer" or referrer to mitigate this type of attacks
  5. Implement OWASP CSRFGuard library that uses synchronizer token patterns to minimize the risk of CSRF attacks