Thursday, May 21, 2009

Anatomy of a Cross-site Request Forgery Attack

So far, this is the best article to articulate our well-beloved Cross-site Request Forgery (CSRF) attack.

A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the less well known, but equally dangerous, cousin of the Cross Site Scripting (XSS) attack. With XSRF, you make use of victim's browser to perform a transaction (GET or POST) on your behalf to the vulnerable site that pre-authenticated earlier.

In this article, it gives an example where how XSRF works in a POST situation, and provide a few suggestions for mitigation:
  • Validate on Referer (not 100% recommended).
  • Implement of "canary" in the form (typically a hidden input) that the attacker couldn’t know or compute.
  • Implement ViewStateUserKey to makes ViewState more tamper-resistant.
  • Remember that "POST-only" isn't aprotection for XSRF.