CSRF / XSRF Attack

CSRF (Cross Site Request Forgery) is also known an XSRF, Sea surf or Session Riding. It is an attack in which when a user is logged in into an application, it executes an unwanted action in that application.

A CSRF attack can lead to unauthorized cash transfers, password changes, data thefts and also it can damage the relationship with the client.

CSRF is generally carried out via malicious emails or links that makes the victim send forged request to a server. As the user is not suspected by the application, its makes it impossible to differentiate it from a legitimate request.

How to prevent this attack

There are many ways to prevent CSRF attacks.

There are many preventive measures as shown below :

  • Logging off the web application when it is not being used
  • User names and passwords must be secured
  • Browsers should not be allowed to remember passwords
  • When logged into an application, simultaneous browsing must be avoided.

From web application point of view there are many solutions to block this attack like generating random tokens for every session which will be checked and verified by the server. Subsequently sessions with duplicate tokens will be blocked. Another method to prevent the same is double submission of cookies. Here random tokens are assigned to both a cookie and a request parameter. The server then matches these for granting access to the application.