(Cross-Site Request Forgery) An online forgery that requires knowledge of which Internet-based institutions a person deals with. It is used to steal money or obtain valuable data such as credit card numbers. Also called an "XSRF," "sea surf" and "confused deputy attack," the CSRF is embedded in a fake link or bogus script on a Web page. In either case, the browser executes a malicious transaction such as a wire transfer to the cybercrook's bank.
The CSRF exploit only works if the user is already logged onto the institution's Web site that is being targeted or has recently logged on, in which case a stored cookie used for authentication may still be active. See XSS.
The CSRF exploit only works if the user is already logged onto the institution's Web site that is being targeted or has recently logged on, in which case a stored cookie used for authentication may still be active. See XSS.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2009 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- ThreatSentry 3.0.94.0 (Windows)
- ThreatSentry is a multi-layered Web Application Firewall that protects Microsoft Windows Web servers from a broad range of web application threats including Cross Site Request Forgery (CSRF/XSRF), Structured Query Language SQL Injection, Cross-Site Scripting XSS and other attacks. ThreatSentry combines an advanced web application firewall, a proprietary NDIS driver, and...
- Software downloads 2009-07-28
- Coming in July: Month of Twitter Bugs
- A well-known security researcher plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem. The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff left, a researcher known for his work on Web-based security...
- Blog posts 2009-06-15
- Why Does IT Hate Facebook and Twitter?
- With as much as the media might talk about the "new enterprise" and "social media" you'd think that IT would be in lock-step with the rest of the businesswhen it came to social networking. But as my recent work with Michael Osterman shows, there's a big difference between applications that...
- Blog posts 2009-06-03
- Twitter API ripe for abuse by web worms
- A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks. The red-hot social networking/microblogging service has been scrambling to plug cross-site scripting and other Web site vulnerabilities to thwart worm attacks but, as researcher Aviv Raff points out,...
- Blog posts 2009-05-26
- Is Twitter finally taking security seriously?
- Now that Oprah's all a twitter, it looks like everyone's favorite micro-blogging tool is finally taking a hard look at security. According to a job listing posted online, Twitter is searching for software engineers to focus specifically on application and infrastructure security. ...
- Blog posts 2009-04-27
- Mozilla patches a dozen Firefox vulnerabilities
- Mozilla has shipped a refresh of its flagship Firefox browser to fix a dozen documented vulnerabilities that expose users to URL spoofing, cross-site scripting, code injection and code execution attacks. The most serious fix (MFSA 2009-14) covers four browser engine and JavaScript engine crashes where Mozilla's developers...
- Blog posts 2009-04-22
- News to know: Firefox patch; Windows 7; Facebook; RIM's app store
- Here are today’s notable headlines. You can get News To Know via email alert and RSS daily. For continuous updates see BNET’s around-the-Web tech coverage. Ryan Naraine: Mozilla plugs Firefox code execution holes Mary Jo Foley: Microsoft hedges its Windows 7 bets with new...
- Blog posts 2009-03-05
- Google downplays severity of Gmail CSRF flaw
- Google downplays severity of Gmail CSRF flawOnly a fool uses this...Fools spew all private data in google, online blog things are waiting for hackers to get the data.Not only that google is big brother 2.0 on steroids, stores private data in which it is theirs to do with what they...
- Discussion threads 2009-03-04
- Google downplays severity of Gmail CSRF flaw
- Yesterday, Vicente Aguilera Diaz from Internet Security Auditors released proof of concept of a CSRF (Cross-Site Request Forgery) vulnerability in Google's Gmail, which he originally communicated to Google two years ago. The CSRF flaw affects Gmail's "Change Password" function, since according to Diaz the session cookie is automatically sent by...
- Blog posts 2009-03-04
- Robust Defenses for Cross-Site Request Forgery
- Cross-Site Request Forgery CSRF is a widely exploited web site vulnerability. This paper presents a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of login CSRF...
- White papers 2008-10-31
- Webmail and traditional e-mail face different threats
- This week's attack on Sarah Palin's e-mail account highlights how the same application could have very different threat models depending on the technology used. While this is a general issue for all Software-as-a-Service offerings versus traditional desktop packages, let's focus on just e-mail for now. Let's first step...
- Blog posts 2008-09-18
- DEFCON 16: List of tools and stuff released
- Â Guest editorial by Rob Fuller DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly...
- Blog posts 2008-08-18
- Black Hat Las Vegas Day 2
- Again, sorry for the late updates. Vegas is the kind of place that demands a lot of a person. Too many parties make it difficult to find time to blog on the conference. Pictures of the even are a bit sparse, due to consistently forgetting to bring my camera, but...
- Blog posts 2008-08-09
- News to know: Apple patch; IBM; PC upgrades; EDS; Yahoo
- Notable headlines: Ryan Naraine: Apple finally ships DNS flaw fix, patches 16 other Mac OS X holes Nate McFeters: Black Hat talk on Apple encryption flaw pulled Black Hat Sneak Preview Larry Dignan: IBM plans building spree: To build $360M...
- Blog posts 2008-08-01
- CSRF vulnerability allows Twitter 'follow' abuse
- CSRF vulnerability allows Twitter 'follow' abuseSo?Another worm, anyone? These types of social-networking sites all suffer from the same kind of problems. They allow lots of interfaces thereby exposing themselves to many attack vectors and we wonder why it happens?There are surely more than this out there, for Twitter,...
- Discussion threads 2008-07-31
- Twitter vulnerability forces auto-follow
- Ryan Naraine over at ZDNet's Zero Day has the scoop on a new CSRF vulnerability in Twitter that forces users to follow a supposed attacker. While Naraine viewed the POC of this vulnerability no technical details were yet shared -- and Twitter has been notified -- but this is a...
- Blog posts 2008-07-31
- CSRF vulnerability allows Twitter 'follow' abuse
- Last week, TechCrunch's Jason Kincaid wrote about an obvious Twitter vulnerability that allowed a user called "johng77536" to game the popular micro-blogging service to add thousands of followers subscribers in a short period of time. The "johng77536" account has since been disabled but a security researcher tracking...
- Blog posts 2008-07-31
- Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soon
- Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soonTTLSomething I wish I'd asked during the webcast and which I can't quite get my head around:It was said that setting a long TTL doesn't help because of the way delegation works - has to...
- Discussion threads 2008-07-24
- PCI-DSS 1.1 points to outdated OWASP Top 10
- OK, I'm not going to freak out about this too bad... I've already pointed out enough problems with PCI, but I did find it morbidly entertaining. My good friend Jeremiah Grossman pictured at right blogged today about the PCI-DSS 1.1 section 6.5, which covers "prevention of common coding vulnerabilities in...
- Blog posts 2008-07-02
- 90% of all statistics can be made to say anything... 50% of the time, aka my thoughts on the Verizon report
- ** Update 06/23/2008: I realize I didn't do a very good job of talking about what we're reviewing here. This is in response to the statistics gathered by Verizon related to Forensic Analysis of Data Breaches over a four year span. First off, let me...
- Blog posts 2008-06-22
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
- Reduce risk. Reduce complexity. Increase reliability.
-
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
- Learn more >>
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- Save time with automated shipping solutions
-
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
- Visit the UPS Business Essentials Guide
- Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
-
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
- Learn more about the free, six-month trial offer>>
Popular Sanity Saver Videos
