OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery

Root Cause Summary
The root cause of CSRF is the Web site trusting the Web authentication or cookie-based session IDs without verifying that the authenticated user actually requested or authorized the request.

Browser / Standards Solution
Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.

Generic
None

Framework Solution
None

Perimeter Solution
None

Generic Framework Solution
Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
Cross Site Request Forgery is sometimes referred to as Session Riding.

While CSRF is very difficult to protect against, some potential solutions such as: Using a Secret Cookie; Only Accepting POST Requests; Multi-Step Transactions; or URL Rewriting do not always work. The best solution may be the use of a Synchronizer Token Pattern.