Ask the Expert

Cross-site request forgery: How this Web exploit works

How does a cross-site request forgery work?

    Requires Free Membership to View

When visiting a Web site, the HTML code behind the scenes is capable of making a Web browser request third-party content from any other Web site. Most of the time these requests are for images, Cascading Style Sheets, JavaScript, or pieces of other Web pages. However, nothing prevents a malicious Web page from forcing a victim's browser to make an unintended request to any other Web site. This is where the name cross-site request forgery (CSRF or XSRF) comes from.

Using CSRF, if a victim happens to be logged into their bank site, an unintended request could force them to wire transfer out their own money. Or, in another context, CSRF could cause a user to post a derogatory comment on their blog or someone else's. Worse still, it could force a hack another Web site or download illegal content. The possibilities are endless.

To Web servers, one request looks more or less just like another. The challenge of this particular issue is detection. The unintended request is legitimate (not hacked up), the user is the right user (authenticated), and the request is being made directly to the real Web site (no man-in-the-middle). The only problem is the victim did not intend to make the request, but the Web server doesn't know that. And the scary part is the vast majority of Web sites are vulnerable with users having very little ability to defend themselves against CSRF.

More information:

This was first published in November 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: