Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
A reverse of cross-site scripting (XSS), cross-site request forgery (CSRF or XSRF), is a malicious Web site attack that exploits the trust a Web site has in a user by forging a request from a trusted user. These attacks are very dangerous because they are more difficult to defend against than XSS attacks, and less frequent, which results in less attention being paid to them.
There is not a lot you can do to protect against CSRF at the present time. Switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) may help prevent these attacks.
Another approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. And users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session.
Web application firewalls (WAFs) may be a solution, as CSRF is fundamentally a problem with the Web application. The newly released Web Application Firewall Evaluation Criteria (WAFEC) version 1.0 from the Web Application Security Consortium (WASC) seeks to address these OSI Layer 7 threats.
This was first published in January 2007