This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery"

Jump to: navigation, search
Line 50: Line 50:
[ OWASP - Testing for CSRF (OWASP-SM-005)]
[ OWASP - Testing for CSRF (OWASP-SM-005)]
[ CWE-352: Cross-Site Request Forgery (CSRF)]  
[ CWE-352: Cross-Site Request Forgery (CSRF)]  

Revision as of 03:24, 21 July 2013

Return to Periodic Table Working View

Cross-Site Request Forgery (CSRF )

Root Cause Summary

The root cause of CSRF is the Web site trusting the Web authentication or cookie-based session IDs without verifying that the authenticated user actually requested or authorized the request.

Browser / Standards Solution

Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.



Framework Solution


Perimeter Solution


Generic Framework Solution

Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.

Custom Framework Solution


Custom Code Solution


Discussion / Controversy

Cross Site Request Forgery is sometimes referred to as Session Riding.

While CSRF is very difficult to protect against, some potential solutions such as: Using a Secret Cookie; Only Accepting POST Requests; Multi-Step Transactions; or URL Rewriting do not always work. The best solution may be the use of a Synchronizer Token Pattern.


OWASP - Top 10 2013-A8-Cross-Site Request Forgery (CSRF)

OWASP - Cross-Site Request Forgery (CSRF)

OWASP - Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

OWASP - OWASP CSRF Tester Project

OWASP - Testing for CSRF (OWASP-SM-005)

CWE-352: Cross-Site Request Forgery (CSRF)

WASC - Cross Site Request Forgery

CAPEC-62:Cross Site Request Forgery (aka Session Riding)