• Support   |   Contact a Representative   |   Contact WhiteHat

• Website Risk Management
  • Asset Identification
  • Vulnerability Management
  • Reporting/Communication
  • Protection
• Sentinel Services
  • Cost-effective Solution
  • Benefits
  • Core Features
  • Unique Methodology
  • Selection Guidelines
  • Sentinel Premium Edition
  • Sentinel Standard Edition
  • Sentinel Baseline Edition
  • Sentinel for QA
  • PCI Compliance
  • Integration – via XML API
  • Certification Program
  • How Sentinel Works
  • WAF Integration
• Support Plus
  • Gold Service Level
  • Silver Service Level
  • Standard Service Level
  • Service Levels
• Education Services
  • Guidelines
  • Intro to Web App Security
  • Secure Coding for Java
  • .NET
• Events & News
  • News Coverage
  • Press Releases
  • Interviews
  • Awards
• Resources
  • Whitepapers
  • Webinars & Presentations
  • Jeremiah Grossman Blog
  • Website Statistics Report
  • Website Security Glossary
• Partners
  • Strategic Partners
  • Partner Application Form
  • Partner Portal Login
• About WhiteHat Security
  • Leadership Team
  • Board of Directors
  • Success Stories
  • Careers
  • Contact Us
  • Support

• Resources
• Whitepapers
• Webinars & Presentations
• Jeremiah Grossman Blog
• Website Statistics Report
• Sentinel Videos

Website Security Whitepaper

Cross Site Request Forgery (CSRF)

Download a Complimentary Copy of this Whitepaper ››

Cross-Site Request Forgeries (CSRF). Session Riding. Client-Side Trojans. Confused Deputy. Web Trojans. Confused? Every year, for the past several years, the exact same Web attack is discovered, analyzed, and subsequently renamed. Whatever it’s called, it all means the same thing: An attacker is forcing an unsuspecting user’s browser to send requests they didn’t intend and potentially compromising their own banking, e-commerce or other website accounts.

Attackers have begun to actively exploit CSRF vulnerabilities across the Web. Why now? Because it’s incredibly easy and the vast majority of websites are vulnerable to it. How do you stop an attack originating from a “real user,” who could be properly logged-in, from making a legitimate request - except the problem is they did not intend to make the request?

For those familiar with Cross-Site Scripting, Chris Shiflett (principal of OmniTI) said it best: “Cross-Site Request Forgeries are an almost opposite style of attack. Rather than exploiting the trust that a user has for a website, they (CSRF attacks) exploit the trust that a website has for a user.

Here’s an example of how a CSRF attack works:

Let’s say you’re logged-in to your online bank, which has a “Transfer Funds” feature. To transfer money from one account to another, you would fill out a Web-form similar to the one in Figure 1. After specifying the appropriate “From” account, “To” account, and dollar amount, you click the “Continue” button. For our purposes, let’s say the “From” account is “314159265,” the “To” account is “011235813,” and we’re transferring $5,000.

Figure 1: Transfer Funds Web-form: