Home > Ask the Security Channel Experts > Information Security Threats and Countermeasures Questions & Answers > Protecting against cross-site request forgery (CSRF) attacks
Ask The Security Channel Expert: Questions & Answers
EMAIL THIS

Protecting against cross-site request forgery (CSRF) attacks

Retired Expert - Russell Dean Vines EXPERT RESPONSE FROM: Retired Expert - Russell Dean Vines

Pose a Question
Other Security Channel Categories
Meet all Security Channel Experts
Become an Expert for this site


Security Channel Update
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 10 January 2007
I've been hearing more about cross-site request forgery (CSRF) attacks -- for example, Netflix recently had to fix a flaw related to this. I'm wondering how I can protect my customers from this type of attack. Do Web application firewalls work?


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Information Security Threats and Countermeasures
Security for mobile broadband
Understanding smurf attacks
What are the network security risks of streaming video?
Spyware removal from computers
Malware removal without antivirus software
Threat matrix and risk analysis resources
Blade server security on a storage area network (SAN)
Blade server security hardware advice
Cross-site scripting vulnerability penetration testing
When should automated penetration testing be supplemented with manual pen testing?

Application Layer Firewalls
Web application firewall market is hot for resellers, service providers
Network firewall vendors
How should VARs sell the new firewall technology?
Application firewalls create opportunities for VARs and integrators
Firewall management tools ease configuration woes
How to ensure PCI-compliant firewall configurations
Email firewalls: A good fit for your SMB customers
Burton Group: Web application firewall market maturing

Data Leak and Data Theft Protection
Sophos integrates encryption into endpoint, email security
Maintaining your customers' security amid layoffs
Making the case for 'live' incident response
Mass. data protection law 201 CMR 17: How to get customers ready
Data breach prevention techniques: Helping customers avoid data breaches
PGP partners with Avnet to boost channel play
Data protection services offer revenue for security solution providers
Full disk encryption: A hot opportunity for VARs
What are the best data leakage prevention strategies for my clients?
Data security: Alternatives to data leak prevention

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


A reverse of cross-site scripting (XSS), cross-site request forgery (CSRF or XSRF), is a malicious Web site attack that exploits the trust a Web site has in a user by forging a request from a trusted user. These attacks are very dangerous because they are more difficult to defend against than XSS attacks, and less frequent, which results in less attention being paid to them.

There is not a lot you can do to protect against CSRF at the present time. Switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) may help prevent these attacks.

Another approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. And users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser's cookies at the end of each browser session.

Web application firewalls (WAFs) may be a solution, as CSRF is fundamentally a problem with the Web application. The newly released Web Application Firewall Evaluation Criteria (WAFEC) version 1.0 from the Web Application Security Consortium (WASC) seeks to address these OSI Layer 7 threats.



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts