cross-site request forgery
Home > Software Quality Glossary > Definition - cross-site request forgery
EMAIL THIS
Glossary - powered by WhatIs.com
 BROWSE ALPHABETICALLY:    A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #    
Search for: in Full Target Search with Google

cross-site request forgery

Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. An XSRF attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions. A compromised user may never know that such an attack has occurred. If the user does find out about an attack, it may only be after the damage has been done and a remedy may be impossible.

An XSRF attack can be executed by stealing the identity of an existing user and then hacking into a Web server using that identity. An attacker may also trick a legitimate user into unknowingly sending Hypertext Transfer Protocol (HTTP) requests that return sensitive user data to the intruder.

An XSRF attack is functionally the opposite of a cross-site scripting (XSS) attack, in which the hacker inserts malicious coding into a link on a Web site that appears to be from a trustworthy source. When an end user clicks on the link, the embedded programming is submitted as part of the client's Web request and can execute on the user's computer.

An XSRF attack also differs from cross-site tracing (XST), a sophisticated form of XSS that allows an intruder to obtain cookies and other authentication data using simple client-side script. In XSS and XST, the end user is the primary target of the attack. In XSRF, the Web server is the primary target although collateral harm is often done to individual end users.

XSRF attacks are more difficult to defend against than XSS or XST attacks. In part, this is because XSRF attacks are less common and have not received as much attention. Another problem is the fact that it can be difficult to determine whether or not an HTTP request from a particular user is actually intended by that same user. While strict precautions can be used to verify the identity of a user attempting to access a Web site, users may not tolerate frequent requests for authentication. The use of cryptographic tokens can provide frequent authentication in the background so the user is not constantly pestered by authentication requests.

Read more about it:
>>  Jesse Burns describes how XSRF attacks work and offers some countermeasures.

Last updated on: Oct 16, 2006
WHITE PAPERS  
WebSphere Application Server Feature Pack for Web 2.0
IBM
PCI Compliance Cut Costs, Not Corners with Third Brigade®
Third Brigade
Improving End-User Performance by Eliminating HTTP Chattiness
F5 Networks
Evolving Work Habits: Changing Your Approach to Network Security
SonicWALL
Identifying and Caching Dynamic Web Applications: A Flexible Approach to Solving Performance Issues
F5 Networks
>> More White Papers
  WHAT'S NEW
 on searchSoftwareQuality
 1. Scrum and requirements gathering
 2. Managing performance in the enterprise
 3. Software testing fundamentals
 4. Debugging and unit testing


About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts