Cross-Site Request Forgery (CSRF), also known as XSRF, is an attack method that fools a web browser into performing unwanted actions in a user application. Similar to Phishing Attacks, CSRFs are typically administered using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server. As the unsuspecting user is authenticated by their application at the time of the attack, it’s almost impossible to distinguish a legitimate request from a forged one. A successful CSRF attack can be devastating for both the business and the user. It can result in damaged business relationships, unauthorized money transfers, changed passwords, and data theft. Depending on the nature of the CSRF attack, the hacker may gain full control over the user’s account. If the compromised user has a privileged (administrator) account within the application, the attacker might be able to take full control of all the application’s data and functionality.
Source: Imperva, PortSwigger
Additional Reading: Google and Mozilla Lay Groundwork For A ‘Post-XSS World’
Related Terms: Session Hijacking Attack
What does this mean for an SMB?
Small and medium-sized businesses (SMBs) can perform a number of preventative measures to help prevent and protect your employees against CSRF attacks. From a user’s perspective, prevention is a matter of safeguarding login credentials and denying unauthorized actors access to applications.
Best practices for employees include:
- Logging off-web applications when not in use
- Securing usernames and passwords with 14+ character passwords stored in a Password Manager
- Not allowing browsers to remember passwords
Best practices for companies developing code:
- Periodically run your development code through dynamic and static code analysis tools to try and identify security issues to address.
- Consider hiring an Application Security test firm to perform “application fuzzing” your application for security vulnerabilities.
- Train your developers on the OWASP Top 10 programming mistakes made by developers.