OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF )
Root Cause Summary
The root cause of CSRF is the Web site trusting the Web authentication or cookie-based session IDs without verifying that the authenticated user actually requested or authorized the request.
Browser / Standards Solution
Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.
Generic Framework Solution
Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
Cross Site Request Forgery is sometimes referred to as Session Riding.
While CSRF is very difficult to protect against, some potential solutions such as: Using a Secret Cookie; Only Accepting POST Requests; Multi-Step Transactions; or URL Rewriting do not always work. The best solution may be the use of a Synchronizer Token Pattern.