[WEBINAR] The New Normal: Dealing with the Reality of an Unsecure World

Cross-Site Request Forgery (CSRF)

Definition - What does Cross-Site Request Forgery (CSRF) mean?

Cross-site request forgery (CSRF) is a type of website exploit carried out by issuing unauthorized commands from a trusted website user. CSRF exploits a website’s trust for a particular user's browser, as opposed to cross-site scripting, which exploits the user’s trust for a website.

This term is also known as session riding or a one-click attack.

Techopedia explains Cross-Site Request Forgery (CSRF)

A CSRF usually uses a browser's "GET" command as the exploit point. CSR forgers use HTML tags such as "IMG" to inject commands into a specific website. A particular user of that website is then used as a host and an unwitting accomplice. Often the website does not know that it is under attack, since a legitimate user is sending the commands. The attacker might issue a request to transfer funds to another account, withdraw more funds or, in the case of PayPal and similar sites, send money to another account.

A CSRF attack is hard to execute because a number of things have to happen in order for it to succeed:

  • The attacker must target either a website that does not check the referrer header (which is common) or a user/victim with a browser or plug-in bug that allows referrer spoofing (which is rare).
  • The attacker must locate a form submission at the target website, which must be capable of something like changing the victim's email address login credentials or doing money transfers.
  • The attacker must determine the correct values for all of the form's or URL's inputs. If any of them are required to be secret values or IDs that the attacker cannot accurately guess, the attack will fail.
  • The attacker must lure the user/victim to a Web page with malicious code while the victim is logged in to the target site.

For example, suppose that Person A is browsing his bank account while also in a chat room. There is an attacker (Person B) in the chat room who learns that Person A is also logged in to Person B lures Person A to click on a link for a funny image. The "IMG" tag contains values for’s form inputs, which will effectively transfer a certain amount from Person A’s account into Person B’s account. If does not have secondary authentication for Person A before the funds are transferred, the attack will be successful.

Techopedia Deals

Connect with us

Techopedia on Linkedin
Techopedia on Linkedin
"Techopedia" on Twitter

Sign up for Techopedia's Free Newsletter!

Email Newsletter

Join thousands of others with our weekly newsletter

Free Whitepaper: The Path to Hybrid Cloud
Free Whitepaper: The Path to Hybrid Cloud:
The Path to Hybrid Cloud: Intelligent Bursting To Amazon Web Services & Microsoft Azure
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.