Cross-site forgery attacks trick web browsers into sending unauthorized commands to a remote server, and can be prevented by logging out of websites and using randomly generated tokens. Referrer checking and relying on cookies is not effective. Web developers should require a one-time token for user requests, and users should disable persistent login options.
A cross-site forgery (XSRF or CSRF), also known by a variety of names including cross-site request forgery, driving session, and one-click attack, is a difficult type of website exploit to prevent. It works by tricking a web browser into sending unauthorized commands to a remote server. Cross-site forgery attacks only work against users who have logged into websites with genuine credentials; as a result, logging out of websites can be a simple and effective preventative measure. Web developers can use randomly generated tokens to prevent this type of attack, but they should avoid referrer checking or relying on cookies.
It is common for cross-site forgery exploits to target web browsers in what is known as a “confused deputy attack.” By believing that it is acting on behalf of the user, the browser is tricked into sending unauthorized commands to a remote server. These commands can be hidden within innocent-looking portions of a web page’s markup code, meaning that a browser attempting to download an image file could actually send commands to a bank, online retailer, or social networks. Some browsers now include measures designed to prevent cross-site forgery attacks, and third-party programmers have created extensions or plug-ins that lack these measures. It might also be a good idea to disable HyperText Markup Language (HTML) e-mail in your preferred client because these programs are also vulnerable to cross-site forgery attacks.
Because cross-site forgery attacks rely on users being legitimately logged into a website. With this in mind, one of the easiest ways to prevent such an attack is to simply log out of sites you’re done using. Many sites that process sensitive data, including banks and brokerage firms, do so automatically after a certain period of inactivity. Other sites take the opposite approach and allow users to log in persistently for days or weeks. While you may find it convenient, it exposes you to CSRF attacks. Look for a “remember me on this computer” or “keep me signed in” option and disable it and be sure to click the logout link when you have completed a session.
For web developers, eliminating cross-site forgery vulnerabilities can be a particularly challenging task. Checking referrer and cookie information doesn’t provide much protection because CSRF exploits exploit legitimate user credentials, and this information is easy to spoof. A better approach would be to randomly generate a one-time token every time a user logs in and require that the token be included in any request the user sends. For important requests such as purchases or fund transfers, requiring a user to re-enter their username and password can help ensure the authenticity of the request.
Protect your devices with Threat Protection by NordVPN