OWASP Top 10 – Cross Site Request Forgery

  • Force an authorized user to send forged HTTP requests (utilize victim session data)
  • victim must be logged in.
  • These requests are considered as legitimate by vulnerable server-side application.

Accepting un-validated inputs, storing it in the database, presenting it to the user upon request and when logged in user accesses it the exploitation occurs.

Solutions

  • Unique token in hidden field (this causes value to be sent in the message body and not in the URL of request)
  • Require user to re-authenticate before making a sensitive/important request.
  • implement Captcha
  • mobile SMS/OTP verification.