Threat Watch: Cross Site Request Forgery (CSRF)
Why a little-known web application vulnerability could cause big problems
By Rick Cook
December 20, 2007
After Cross Site Scripting (XSS), the second most common web application security exploit is probably one you haven’t heard of: Cross Site Request Forgery (or CSRF for short). This little-known but very troubling web-application attack essentially hijacks a user’s browser to perform actions he or she didn’t intend--anything from ordering merchandise to sending threatening letters to the White House.
By their nature CSRF attacks are hard to prove. Unless you have a case like the Samy worm that produces a major disruption, it’s hard even to know such an exploit is out there. (The 2005 Samy worm was only discovered because it used CSRF to temporarily make the writer the most popular person on MySpace.) Unlike an XSS attack, which tricks the site into uploading malicious code, CSRF simply has the site execute legitimate commands--just not commands issued by the user.
Despite this type of attack being difficult to detect, Jeremiah Grossman, CTO at web application security vendor Whitehat Security, estimates that it’s the second most common web application attack, after XSS, and believes that it is about where XSS was a couple of years ago: Few security professionals are aware of it, but it is being increasingly exploited by computer criminals.
While the dangers of such attacks on sites that require authentication are obvious, even CSRFs against sites that don’t require authentication can be damaging. Grossman points out that Whitehouse.gov doesn’t require authentication, but sending a bunch of threatening e-mails to the White House is probably going to get you a visit from the FBI.
Of course, the vast majority of people who encounter the attack on a site that