A reverse of cross-site scripting (XSS), cross-site request forgery (CSRF or XSRF), is a malicious Web site attack that exploits the trust a Web site has in a user by forging a request from a trusted user. These attacks are very dangerous because they are more difficult to defend against than XSS attacks, and less frequent, which results in less attention being paid to them.
There is not a lot you can do to protect against CSRF at the present time. Switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) may help prevent these attacks.
Another approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. And users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session.
Web application firewalls (WAFs) may be a solution, as CSRF is fundamentally a problem with the Web application. The newly released Web Application Firewall Evaluation Criteria (WAFEC) version 1.0 from the Web Application Security Consortium (WASC) seeks to address these OSI Layer 7 threats.
Dig Deeper on Best practices for cybersecurity management
Related Q&A from Russell Dean Vines
A smurf attack can slow down a network to the point of shutting it down completely. Learn how to understand a full-scale smurf attack and how to ... Continue Reading
Streaming video and audio sites are frequently visited on both home computers and work computers. Learn about streaming video security risks and what... Continue Reading
There are many resources available to help value-added resellers compile a threat matrix and perform risk analyses. Continue Reading