OWASP Top Ten Web Application Vulnerabilities #4: Cross-Site Request Forgery (CSRF)

Cross-site request forgery or CSRF is a type of web application vulnerability wherein hackers trick authenticated users of your websites to submit information to a web application on behalf of the hacker without the legitimate user being aware of the fact. What the CSRF attack does is to trick the legitimate user into loading a hacker’s web page that uses the legitimate user’s credentials to perform malicious actions, masquerading as the user. For example, a successful CSRF attack will enable a hacker to use to purchase something and ship them to the hacker, using your own account.

There are many ways in which a hacker uses a CSRF attack to piggyback on the identities of legitimate users. Hackers intercept the user’s URL to and modify the URL so instead of, say a user depositing money in her Mom’s account, for example, the information in the URL instructs the bank’s we b application to deposit money into the hacker’s account. The hacker then sends an email to the victim, which, when the victim clicks on it, processes the banking transaction, all without the victim’s knowledge. In other words is a hijacking of the legitimate user’s connected session with the bank.

Forged requests such as the one explained here are hard to distinguish from legitimate requests. Fortunately, you can detect CSRF flaws in your web applications through penetration testing of the apps or by a code analysis. OWASP also offers the CSRF Tester, an open source tool, to generate test cases. You test for CSRF web application flaws by checking if each link and form in the app contains an unpredictable token for each user of the app. You can prevent CSRF attacks by including a unique token in a hidden field in a form you avoid including it in an URL, where the token can prevent hackers from using the legitimate user’s authenticated connection session.

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact Us

If you have an urgent question regarding your software licensing or a software audit, please contact Miro right away.

(732)738–8511 x1208
Use the chat box on the right

About Us

Miro is a leading global provider of software asset management services, specializing in license management, audit advisory, negotiation tactics, support management, and cloud services. We help our clients maximize ROI on their software license investments, stay in compliance, and minimize the impact of audits. Miro's performance guarantee promises that our long-tenured, diverse, and passionate team of expert analysts provides insightful and actionable advice to help our clients achieve the best possible outcomes.