CSRF: Attack And Defense | McAfee®

Table of Contents

  • Definition of CSRF 3
  • Attack Vectors 4
  • Inline “image” links 4
  • Auto-submitting forms 5
  • Phishing 5
  • Capabilities of CSRF Attacks 6
  • Simulate valid requests 6
  • Activate XSS, SQL injection 6
  • Call web services 6
  • Protecting Your Website 7
  • Solutions that don’t work 7
  • Effective CSRF solutions 8
  • Protecting Yourself 10
  • Log out 10
  • Change default passwords 11
  • Use different browsers 11
  • Use a virtual machine 11
  • Enforcement via proxies 11
  • Conclusion 11

Definition of CSRF

CSRF stands for cross-site request forgery. It’s also known as session riding or XSRF. CSRF takes advantage of the inherent statelessness of the web to simulate user actions on one website (the target site) from another website (the attacking site). Typically, CSRF will be used to perform actions of the attacker’s choosing using the victim’s authenticated session. If a victim has logged into the target site, an attacker can coerce the victim’s browser to perform actions on the target website. To go into more detail, let’s look at what happens when a user visits a website:

Download: CSRF_ Attack and Defense.pdf (903.0 KB)

Happy learning!