Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) is a type of attack in which an attacker tricks the victim into performing unwanted actions in a web application they are already logged into. The attack exploits the victim's authentication information to perform malicious actions on the victim's behalf without the victim's knowledge.
How does cross-site request forgery work?

A CSRF attack usually takes place in two steps:

  1. The attacker creates a malicious website or email that contains a specially crafted form or link that triggers an action on the target website. This action could be changing settings, transferring funds or deleting data.
  2. The victim who falls into the attacker's trap visits the malicious website or clicks on the manipulated link. This sends a request to the target website, which executes the unwanted action. Since the victim is already logged into the target website application, the authentication information is automatically transmitted along with the request and the action is carried out on behalf of the victim.

How can you protect yourself against cross-site request forgery?

Various security measures can be taken to protect against CSRF attacks:

  1. Use of CSRF tokens: The web application can generate CSRF tokens and embed them in each form or link. When sending the request, the CSRF token must be checked to ensure that the request comes from the correct user and not from an attacker.
  2. Limiting the validity of requests: The web application can implement mechanisms to ensure that certain actions can only be performed by pages that originate from the same domain as the target web application. This prevents malicious requests from being executed from other domains.
  3. Use of same-site cookies: Same-site cookies can be configured so that they are only used for requests from the same website. This reduces the risk of CSRF attacks as cookies are no longer automatically sent to malicious sites.

By implementing these security measures, web applications can be effectively protected from CSRF attacks, ensuring the integrity and security of the application and user data.

Information for you

-Our whitepapers-

Study Application and API Security 2022

In a recent study in cooperation with CIO, CSO and COMPUTERWOCHE, Ergon Airlock looked at application and API security in the container environment.

Request study

Zero Trust is a journey

The digital transformation of the world continues to progress, and it is profoundly affecting private life and job profiles in a manner that was hard to imagine just a few years ago.

This whitepaper covers the effects of continuous digitization and its implications.

Request free of charge

Toward DevSecOps

In this whitepaper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this, and what benefits a microgateway architecture brings.

Request free of charge

Airlock 2FA - Strong Authentication. Easy.

The two-factor authentication in the area of IT security offers double the security.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request free of charge

Further whitepapers

We provide whitepapers on these and other topics free of charge:

  • successful IAM projects
  • Compliance
  • Data protection (GDPR)
  • Introduction of PSD2
  • PCI DSS requirements
Request free of charge