How do I Prevent Cross-Site Forgery?

A cross-site forgery (XSRF or CSRF), also known by a variety of names including cross-site request forgery, session riding, and one-click attack, is a difficult type of website exploit to prevent. It operates by tricking a web browser into sending unauthorized commands to a remote server. Cross-site forgery attacks only work against users who have logged into websites with authentic credentials; as a result, logging out of websites can be a simple and effective preventative measure. Web developers can use randomly generated tokens to help prevent this type of attack, but should avoid checking the referrer or relying on cookies.

It is common for cross-site forgery exploits to target web browsers in what is known as a “confused deputy attack.” Believing to be acting on the user’s behalf, the browser is tricked into sending unauthorized commands to a remote server. These commands can be hidden inside seemingly innocent portions of a webpage’s markup code, which means that a browser trying to download an image file might actually be sending commands to a bank, online retailer, or social networking site. Some browsers now include measures designed to prevent cross-site forgery attacks, and third-party programmers have created extensions or plugins that lack these measures. It may also be a good idea to turn off HyperText Markup Language (HTML) e-mail in your preferred client because these programs are also vulnerable to cross-site forgery attacks.

Since cross-site forgery attacks rely upon users who have legitimately logged into a website. With that in mind one of the easiest ways to prevent such an attack is to simply log out of sites that you are finished using. Many sites that deal with sensitive data, including banks and brokerage firms, do this automatically after a certain period of inactivity. Other sites take the opposite approach and allow users to be persistently logged in for days or weeks. Although you might find this convenient, it does expose you to CSRF attacks. Look for a “remember me on this computer” or “keep me logged in” option and disable it, and make sure to click the log out link when you’ve completed a session.

For web developers, eliminating cross-site forgery vulnerabilities can be a particularly challenging task. Checking referrer and cookie information does not provide much protection because CSRF exploits take advantage of legitimate user credentials and this information is easy to spoof. A better approach would be to randomly generate a single-use token each time a user logs in, and require that the token be included with any request sent by the user. For important requests like purchases or fund transfers, requiring a user to reenter username and password can help ensure the authenticity of the request.