Tuesday, January 16, 2007

Cross-Site Request Forgery (CSRF/XSRF) FAQ

The Cross-Site Request Forgery (CSRF/XSRF) FAQ has been released! Good stuff.

What is Cross Site Request Forgery?
"Cross Site Request Forgery (also known as
XSRF, CSRF, and Cross Site Reference Forgery) works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically you'll use Cross Site Scripting to embed an IMG tag or other HTML/JavaScript code to request a specific 'task url' which gets executed without the users knowledge. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before we initiated by the user after the price plummeted."



Anonymous said...

I keep on seeing XMLHTTPRequest cited as a means of performing CSRF (it's in this FAQ), but I can't find anything to suggest this is possible without request smuggling / request splitting attacks.

Am I missing something?

Jeremiah Grossman said...

No your right, XHR cannot make off-domain requests. Usually when XHR is mentioned in this context its for on-site Request Forgeries. Like for Web Worms for instance.