A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the less well known, but equally dangerous, cousin of the Cross Site Scripting (XSS) attack. With XSRF, you make use of victim's browser to perform a transaction (GET or POST) on your behalf to the vulnerable site that pre-authenticated earlier.
In this article, it gives an example where how XSRF works in a POST situation, and provide a few suggestions for mitigation:
- Validate on Referer (not 100% recommended).
- Implement of "canary" in the form (typically a hidden input) that the attacker couldn’t know or compute.
- Implement ViewStateUserKey to makes ViewState more tamper-resistant.
- Remember that "POST-only" isn't aprotection for XSRF.