cross-site request forgery (XSRF or CSRF)

Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. An XSRF attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions. A compromised user may never know that such an attack has occurred. If the user does find out about an attack, it may only be after the damage has been done and a remedy may be impossible.

An XSRF attack can be executed by stealing the identity of an existing user and then hacking into a Web server using that identity. An attacker may also trick a legitimate user into unknowingly sending Hypertext Transfer Protocol (HTTP) requests that return sensitive user data to the intruder.

An XSRF attack is functionally the opposite of a cross-site scripting (XSS) attack, in which the hacker inserts malicious coding into a link on a Web site that appears to be from a trustworthy source. When an end user clicks on the link, the embedded programming is submitted as part of the client's Web request and can execute on the user's computer.

An XSRF attack also differs from cross-site tracing (XST), a sophisticated form of XSS that allows an intruder to obtain cookies and other authentication data using simple client-side script. In XSS and XST, the end user is the primary target of the attack. In XSRF, the Web server is the primary target although collateral harm is often done to individual end users.

XSRF attacks are more difficult to defend against than XSS or XST attacks. In part, this is because XSRF attacks are less common and have not received as much attention. Another problem is the fact that it can be difficult to determine whether or not an HTTP request from a particular user is actually intended by that same user. While strict precautions can be used to verify the identity of a user attempting to access a Web site, users may not tolerate frequent requests for authentication. The use of cryptographic tokens can provide frequent authentication in the background so the user is not constantly pestered by authentication requests.

This was last updated in October 2006
Posted by: Margaret Rouse

Email Alerts

Register now to receive news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

  • Scaling Agile software development: Challenges and solutions

    Software consultant Nari Kannan describes how agile practices and work can be scaled appropriately for success in large organizations. Using lean thinking, reduction of waste, and appropriately organizing work and people, agile can be successfully adapted, regardless of the size of the organization.

  • Rise in hidden software glitches caused by programmer retirements

    Undiscovered software glitches in complex systems are common, and one of the primary drivers is the loss of mainframe knowledge of a retiring workforce. Software glitches are lurking in many large systems, particularly mainframe systems, and the COBOL programmers that understand the code best are retiring, according to Jeff Papows, author of the new book, "Glitch - The hidden impact of faulty software." Papows describes how faulty software caused a huge charge to debit card holder's account and why such mistakes are on the rise in this interview. Papows notes the three most pressing drivers for software glitches: loss of intellectual knowledge, market consolidation and the ubiquity of technology

  • Professional development for software testers

    Karen Johnson suggests a variety of ways that testers can gain additional skills and experience, including social networking and open source testing.

Do you have something to add to this definition? Let us know.

Send your comments to

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: