A cross-site request forgery (CSRF) attack is a type of malicious exploit which, in one common form, causes a user's browser, when browsing a website containing malicious code, to send an unauthorized command to a target website which has a trust relationship with the user, such as the user's online banking website. For example, a user may browse a website containing the following malicious code:
<img src=“http://www.usersbank.com/withdraw?account=bob&amount=100&for=mal”>
which causes the user's browser to send a request to the user's online banking website to transfer money from the user's bank account to that of the attacker. Such attacks typically rely on the presence of a cookie that the target website previously stored on the user's computer and that contains confidential information, such as the user's login and password for the target site.
Websites may protect themselves and their trusted users against CSRF attacks by employing various mechanisms at the website server. In one popular anti-CSRF mechanism, when a user requests an HTML form from a website server, the server generates a token using a pseudo-random number generator, inserts the token into the HTML form as a hidden input field, and provides the HTML form to the user. The server also provides the user with another copy of the token to be stored in a cookie at the user's computer. Preferably, the tokens that are provided to the user are encrypted using different encryption algorithms. When the user submits the HTML form to the website server, the form is submitted together with its hidden token, and the token from the cookie is submitted as well. The server checks if the token submitted with the form matches the token stored in the cookie. If the tokens match, then the submission is considered by the server as not the result of a CSRF attack on the assumption that there is a very low probability that an attacker could create a version of the HTML form with the proper token.
While server-based anti-CSRF mechanisms exist, it is the responsibility of the website developer to use them properly and test whether a website is adequately protected against CSRF attacks.