Cross site request forgery (CSRF) risks

Home > Cyber Security Solutions > Various-Security-Offerings > Penetration Test > Specialized Pen Testing > Web Portals > Cross site request forgery (CSRF) risks

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Prevention :
Individual Web users using unmodified versions of the most popular browsers can do relatively little to prevent cross-site request forgery. Logging out of sites and avoiding their "remember me" features can mitigate CSRF risk; not displaying external images or not clicking links in spam or untrusted e-mails may also help.

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests. The NoScript extension for Firefox mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing payloads from POST requests sent by untrusted sites to trusted ones. The Self Destructing Cookies extension for Firefox does not directly protect from CSRF, but can mitigate the threat by deleting cookies as soon as they are no longer associated with an open tab.
Web sites have various CSRF countermeasures available:

  • Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions
  • Requiring the client to provide authentication data in the same HTTP Request used to perform any operation with security implications (money transfer, etc.)
  • Limiting the lifetime of session cookies
  • Ensuring that there is no clientaccesspolicy.xml file granting unintended access to Silverlight controls
  • Ensuring that there is no crossdomain.xml file granting unintended access to Flash movies
  • Verifying that the request's header contains a X-Requested-With (used by Ruby on Rails before v2.0 and Django before v1.2.5), or checking the HTTP Referer header and/or HTTP Origin header.These protections have been proven insecure under a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website, hence allowing a forged request.

An easy and effective solution is to use a CSRF filter such as OWASP's CSRFGuard. The filter intercepts responses, detects if it is a html document and inserts a token into the forms and optionally inserts script to insert tokens in ajax functions. The filter also intercepts requests to check that the token is present.

We at Valency Networks, India, can catch these serious security problems in our vulnerability assessment and provide solutions.