Q

Cross-site request forgery: How this Web exploit works

Cross-site request forgery is a major threat to Web security, and most Web sites aren't equipped to handle this exploit. Expert Jeremiah Grossman explains how CSRF works.

How does a cross-site request forgery work?

When visiting a Web site, the HTML code behind the scenes is capable of making a Web browser request third-party

content from any other Web site. Most of the time these requests are for images, Cascading Style Sheets, JavaScript, or pieces of other Web pages. However, nothing prevents a malicious Web page from forcing a victim's browser to make an unintended request to any other Web site. This is where the name cross-site request forgery (CSRF or XSRF) comes from.

Using CSRF, if a victim happens to be logged into their bank site, an unintended request could force them to wire transfer out their own money. Or, in another context, CSRF could cause a user to post a derogatory comment on their blog or someone else's. Worse still, it could force a hack another Web site or download illegal content. The possibilities are endless.

To Web servers, one request looks more or less just like another. The challenge of this particular issue is detection. The unintended request is legitimate (not hacked up), the user is the right user (authenticated), and the request is being made directly to the real Web site (no man-in-the-middle). The only problem is the victim did not intend to make the request, but the Web server doesn't know that. And the scary part is the vast majority of Web sites are vulnerable with users having very little ability to defend themselves against CSRF.

More information:
This was first published in November 2006

Dig deeper on Building security into the SDLC (Software development life cycle)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close