Frequently Asked Questions

Cross-Site Request Forgery

Print this Article
Last Updated: June 1, 2011 3:46 PM

Cross-site request forgery (CSRF) is an attack that takes advantage of a website's predictable access-restricted actions, such as updating the email address or password for an account.

If malicious users can predict the details for a particular action, they can trick logged-in users into clicking a forged link, typically through a phishing email, designed to execute actions in users' accounts.

For example: Jim is logged in to his social networking account, and he clicks a link a friend posted. The page loads an image with an embedded link similar to the following:
<img src="http://www.coolexample.com/update.php?status=I%20Like%20Pancakes" />

When the page loads in Jim's browser, it executes the command from the URL. Since Jim is logged in to his account, an update automatically posts without his knowledge.

To prevent CSRF, make access-restricted actions unpredictable by including a unique token in every function. The token helps verify that the logged-in user initiated the request, as an attacker has no way to know the specific token details.

To learn more about cross-site forgery and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.