Top 10 2013-A8-Cross-Site Request Forgery (CSRF)

From OWASP
Revision as of 13:11, 17 February 2013 by Neil Smithline (Talk | contribs)

Jump to: navigation, search

TEMPORARY PLACEHOLDER for 2013 T10

[[Top 10 {{{year}}}-Missing Function Level Access Control|← Missing Function Level Access Control]]
2013 Table of Contents

2013 Top 10 List

[[Top 10 {{{year}}}-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities →]]
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
AVERAGE
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
Application / Business Specific
Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Any website or other HTML feed that your users access could do this. Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. If the user is authenticated, the attack succeeds. CSRF takes advantage of the fact that most web apps allow attackers to predict all the details of a particular action.

Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.

Detection of CSRF flaws is fairly easy via penetration testing or code analysis.

Attackers can cause victims to change any data the victim is allowed to change or perform any other function the victim is authorized to use, including state changing requests, like logout or even login. Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions. Consider the impact to your reputation.
Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'?

blank

How Do I Prevent 'Cross-Site Request Forgery (CSRF)'?

blank

  1. blankBullet1
  2. blankBullet2
Example Attack Scenarios

blank

blank code

blank

http://example.com/app/accountView?id=' or '1'='1

blank

References

OWASP

External

[[Top 10 {{{year}}}-Missing Function Level Access Control|← Missing Function Level Access Control]]
2013 Table of Contents

2013 Top 10 List

[[Top 10 {{{year}}}-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities →]]

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]