OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery

Return to Periodic Table Working View

Root Cause Summary
A vulnerable application processes a transaction using an existing session, without verifying that the transaction was intended to be initiated by the user and not a malicious 3rd-party site. CSRF is also known as Session Riding or Confused Deputy.

Browser / Standards Solution
Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.

Generic
None

Framework Solution
None

Perimeter Solution
None

Generic Framework Solution
Automatically generate and check tokens for all POST requests by default, following the Synchronizer Token Pattern with configuration-based exclusion list for transactions which must not or need not be protected against CSRF. Disallow state changes via GET requests, enforcing RFC.

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
CSRF tokens would be made obsolete by a browser/standards solution that allows a site owner to specify which external web sites are allowed to initiate transactions. (The current HTTP specification by design allows any web site to initiate POST requests to any other web site on the behalf of its users.) Default deny for cross-domain writes will likely never pass standards review. Even policy files to control cross-domain writes are strongly disfavored.