As the number of users viewing information and purchasing items electronically increases, there is also an increasing amount of forgery, misuse of identity information, and other illicit activities in such an electronic environment. Forced unauthorized commands or submissions from a trusted user of a Web site, for example, is often referred to as Cross Site Request Forgery (CSRF or XSRF). Typically, the submission is made to originate at the Internet protocol (IP) address of the user, such that the actual initiator of the submission is untraceable. The attacks often affect Web sites that use mechanisms such as state management, Web cookies, browser authentication, or client-side certificates to authenticate users. A CSRF exploit can be, for example, executed by tricking or otherwise causing a user into submitting malicious form data to a trusted Web site. The exploit typically originates at a malicious site, as a malicious payload in a file such as a hypertext markup language (HTML) or JavaScript file, or is delivered as a file attachment via an email message, which can contain script code triggering an action to be performed on a third-party site on behalf of the victim.
In one example, a user might browse product pages of an electronic marketplace, which can result in information being stored on a client device of the user. In an Internet-based environment, this can include storing information about the user in a cookie for a browser on the client device. Any person or process (such as a malicious Web site) gaining access to this cookie can use this information to submit requests, such as purchase requests, change of delivery address requests, or even funds transfer requests, to the electronic marketplace that will look as if the requests were initiated by the user for whom the cookie was stored. Even without the attacker being able to directly read the cookie, the attacker can cause the cookie to be used to take unauthorized actions on the site that placed the cookie, on behalf of the user. For example, an attacker can cause the user to purchase an item or execute a bank transfer, without the user's knowledge, by causing a form requesting this action to be submitted by the user.
In another example of a fraudulent submission, a person or process might intercept information passing between a user and a remote location. In an example where a user does banking electronically, a user might submit a form to pay a bill through a banking institution. A person or process intercepting that form submission, and able to interpret or extract the information contained therein, can cause a similar form request to be sent that can initiate a transaction such as a transfer of money from the initial user's account, where the request looks as if it came from the user. In still other examples, a person or process might simply try to use random session or user identifiers to attempt to forge a request for an action through an electronic application or process.
One conventional approach to mitigate CSRF attacks is to use the referrer header of a client request to determine whether the request is from the expected sender. However, while simple in complexity, the client application controls this aspect, and thus is subject to spoofing by exploiting a client application. In addition, some clients may omit the referrer header entirely in some circumstances. Therefore, this approach can't be relied upon with a great deal of confidence.
Another conventional approach to attempt to prevent processing of an unauthorized submission by a person or process posing as a trusted user is to generate a random number and digitally sign that number with a cryptographic key. The encrypted number is then sent to the user as form data, for example, with the encrypted number being embedded in the form and returned with each form submission in order to verify that the request is coming from an authenticated user browsing the site hosting the form. The number must be decrypted, and compared to the number that was issued, then a determination is made as to whether the number was issued recently. Such an approach comes with a significant amount of cryptographic processing overhead that is burdensome for many providers of electronic content, especially those of large scale and transaction volume.