Cross Site Request Forgery – What Is It And How To Fix It?

Cross Site Request Forgery

Cross Site Request Forgery Description: It is also known as session riding or one click attack and  sometimes pronounced as sea surf. If an application has this vulnerability then an adversary could take advantage of this weakness and make authorized users submit unintended actions.

Impact: A user without his knowledge may be tricked to submit sensitive transaction such as money transfer or buy products.

How to Fix: 

Cross Site Request Forgery can be mitigated in two ways

1.User interaction is not required:

In this case check for source and target origin before processing the request. Source and target origins must match to process the request, if not matched then do not proceed further. Source origin can be checked via Origin header and target origin can be checked via submitted url or Host header. In addition to that check and validate Cross site request forgery token to process request further

 

2. User interaction is required:

For sensitive transactions ask the user to enter any one of the following

  • One Time Password
  • Re-Authenticate
  • CAPTCHA

Hope this article provided some useful information to you. Please share this if you like it.