Top 10 2013-A8-Cross-Site Request Forgery (CSRF)

= TEMPORARY PLACEHOLDER for 2013 T10 =

Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Any website or other HTML feed that your users access could do this. Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. If the user is authenticated, the attack succeeds. CSRF takes advantage of the fact that most web apps allow attackers to predict all the details of a particular action.

Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.

Detection of CSRF flaws is fairly easy via penetration testing or code analysis. Attackers can cause victims to change any data the victim is allowed to change or perform any other function the victim is authorized to use, including state changing requests, like logout or even login. Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions.

Consider the impact to your reputation.

blank

blank
 * 1) blankBullet1
 * 2) blankBullet2

blank blank code blank http://example.com/app/accountView?id= ' or '1'='1 blank


 * OWASP SQL Injection Prevention Cheat Sheet
 * ESAPI Encoder API


 * CWE Entry 77 on Command Injection
 * CWE Entry 89 on SQL Injection