OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery

Revision as of 21:23, 20 July 2013 by David Fern (Talk | contribs)

Jump to: navigation, search

Return to Periodic Table Working View

Cross-Site Request Forgery (CSRF )

Root Cause Summary

The root cause of CSRF is the Web site trusting the Web authentication or cookie-based session IDs without verifying that the authenticated user actually requested or authorized the request.

Browser / Standards Solution

Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.



Framework Solution


Perimeter Solution


Generic Framework Solution

Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.

Custom Framework Solution


Custom Code Solution


Discussion / Controversy

Cross Site Request Forgery is sometimes referred to as Session Riding.

While CSRF is very difficult to protect against, some potential solutions such as: Using a Secret Cookie; Only Accepting POST Requests; Multi-Step Transactions; or URL Rewriting do not always work. The best solution may be the use of a Synchronizer Token Pattern.


OWASP - Top 10 2013-A8-Cross-Site Request Forgery (CSRF)

OWASP - Cross-Site Request Forgery (CSRF)

OWASP - Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

OWASP - OWASP CSRF Tester Project

OWASP - Testing for CSRF (OWASP-SM-005) CWE-352: Cross-Site Request Forgery (CSRF)

WASC - Cross Site Request Forgery

CAPEC-62:Cross Site Request Forgery (aka Session Riding)