Cross-site request forgery, also known as one click attack or session riding, is a type of malicious exploit of websites that transmits unauthorized requests or commands from a user whom a website trusts to the website through a client device associated with the user, thus tricking the web application server hosting the website into responding to the unauthorized requests or commands. The requests or commands are unauthorized because they are sent to the website without the user's knowledge and/or permission. CSRF takes advantage of the trust a website places in an authorized or authenticated user. CSRF attacks often target websites that rely on a user's identity and exploit the websites' trust in that user identity by tricking the user's web browser into sending HTTP (Hypertext Transfer Protocol) requests to the targeted websites without the user's knowledge or permission, while the HTTP requests have harmful and/or malicious side effects.
From a technical point of view, CSRF often relies on a few assumptions. First, the attacker has knowledge of the websites with which the victim user has current authentication. Next, the attacker generally targets websites that use persistent authentication cookies or users whose web browsers have current session cookies. Finally, the targeted websites do not employ any secondary authentication for client requests.
CSRF may cause various types of harm and damages to both the users and the websites. For example, CSRF may send an unauthorized request to a user's bank website to transfer money out of the user's bank account, or send an unauthorized request to a website where the user has a registered account to reset the user's account information such as login or password, etc.
Some methods have been developed to detect CSRF attacks. For example, a web application may switch from a persistent authentication method to a transient authentication method, or include a secret, user-specific token in forms that is verified in addition to the cookies. Alternatively, a web application may check the HTTP referrer header to see if the request comes from an authorized page. A server-side proxy may also be used to detect and prevent CSRF attacks as well. Other methods include using cryptographic tokens to prove that the sender of the requests knows a session-specific secret parameter, or using secret tokens to prove that the sender of the requests knows an action- and user-specific secret parameter.
However, most of the existing methods for detecting and/or preventing CSRF attacks are implemented on the server side, often as a part of the web application. Thus, unless the web servers implement functionalities to protect the users from CSRF attacks, the users are left vulnerable. Therefore, continuous efforts are needed to improve CSRF detection and prevention.