Client Side Vulnerabilities / Cross-Site Request Forgery

Description

Cross-Site Request Forgery (CSRF) is an attack vector that exploits the trust a website has for a user. It is a type of attack classified as a client-side attack, where an attacker can send malicious requests in the name of the target user without their knowledge. According to Common Weakness Enumeration (CWE) directory, Cross-Site Request Forgery is listed as CWE-352. The OWASP Testing Guide also includes testing techniques for Cross-Site Request Forgery.

Risk

Cross-Site Request Forgery can be a high risk attack vector, as it can be used to perform actions on behalf of a user without their consent or knowledge. This type of attack can be used to gather sensitive information such as credit card details, or to perform unauthorized transactions.

Solution

The best way to mitigate Cross-Site Request Forgery attacks is to ensure that any requests sent to the server are authenticated. This can be done by using anti-CSRF tokens, which are randomly generated strings that are sent along with the request and must match with the server's expected value.