LLMpediaThe first transparent, open encyclopedia generated by LLMs

Cross-Site Request Forgery

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Same-origin policy Hop 4
Expansion Funnel Raw 128 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted128
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Cross-Site Request Forgery
NameCross-Site Request Forgery
TypeWeb security vulnerability
AffectedWeb applications, browsers, HTTP
MitigationsCSRF tokens, SameSite, CORS, OAuth

Cross-Site Request Forgery Cross-Site Request Forgery is a web security vulnerability that allows an attacker to induce a user to perform unwanted actions in a web application where the user is authenticated. It targets the interaction between browsers like Google Chrome, Mozilla Firefox, Microsoft Edge and web services such as Apache HTTP Server, NGINX (software), IIS (web server) by exploiting session state and implicit trust. High-profile platforms including Facebook, Twitter, Amazon (company), Google LLC and GitHub have motivated mitigations adopted by standards bodies like the Internet Engineering Task Force and browsers from Apple Inc. and Opera Software.

Overview

CSRF is an integrity attack that leverages authenticated sessions in applications such as Gmail, PayPal, Bank of America, eBay, Reddit and Stack Overflow to submit requests via victims’ browsers. Threat models from organizations like OWASP and MITRE classify CSRF alongside vulnerabilities cataloged in the OWASP Top Ten and the CWE list, informing guidance used by vendors like Microsoft Corporation, Oracle Corporation, IBM and Adobe Inc.. Mitigation techniques intersect standards and protocols designed by World Wide Web Consortium, IETF, and authentication systems including OAuth 2.0, SAML, OpenID Connect implemented by companies such as Salesforce, Okta, Auth0 and Ping Identity.

Attack Mechanisms

Attackers craft requests that browsers will execute against targets like WordPress, Drupal, Joomla!, Magento or Salesforce when users have valid cookies or credentials. Exploits often use HTML forms, IMG tags, JavaScript served from Content Delivery Network providers such as Cloudflare or Akamai Technologies, and email campaigns run via services like Mailchimp, SendGrid, Constant Contact to trigger state-changing HTTP methods handled by Apache Tomcat or Node.js (software). Common vectors reference APIs from Stripe (company), Square (company), Payoneer, and integrations with Slack (software), Atlassian tools; attacks bypass protections when servers rely solely on credentials issued by identity providers like Microsoft Azure, Amazon Web Services, Google Cloud Platform.

Vulnerable Scenarios and Examples

Vulnerabilities appear in single-page applications built with frameworks such as React (JavaScript library), Angular (application platform), Vue.js, Ember.js, and backends written in PHP, Ruby on Rails, Django, ASP.NET Core, Spring Framework. Example incidents include fraudulent funds transfers on banking portals like Wells Fargo and HSBC, unauthorized content changes on platforms like Wikipedia, Medium (website), and session manipulation on social networks exemplified by attacks affecting Myspace, LinkedIn, Tumblr. Other scenarios involve integrations with marketplaces such as Shopify, Etsy, and enterprise suites like SAP SE, Oracle Database where automated workflows and cron jobs exposed by APIs from Twilio, SendGrid, Stripe were misused.

Prevention and Mitigation

Defenses include synchronizer tokens (anti-forgery tokens) issued by frameworks from Django Software Foundation, Ruby on Rails, Laravel, Express (web framework) and header-based strategies using CORS policies influenced by the IETF and implemented in nginx, Apache HTTP Server, IIS. Browser-side controls such as the SameSite cookie attribute endorsed by Google LLC and implemented by Mozilla Foundation, Apple Inc. limit cross-site transmission; content security deployment follows guidance from W3C and OWASP. Authentication hardening uses standards like OAuth 2.0, OpenID Connect and enterprise identity providers including Okta, Auth0, Microsoft Azure Active Directory along with multi-factor authentication from vendors like Duo Security and Yubico.

Detection and Response

Detection tools include web application scanners from Qualys, Netsparker, Burp Suite (PortSwigger), Acunetix, Nmap and code analysis tools from SonarQube, Coverity, Checkmarx that integrate with CI/CD pipelines managed by Jenkins, GitLab, CircleCI, Travis CI. Incident response procedures align with playbooks from CERT/CC, US-CERT, NIST guidelines and coordination with computer emergency response teams like CISA, ENISA, FIRST and industry groups such as ISACA and SANS Institute. Remediation often involves patch releases from vendors like Atlassian, Automattic, Canonical (company), and disclosure channels coordinated through OSS Fuzz or vulnerability disclosure programs like HackerOne and Bugcrowd.

History and Notable Incidents

The class of attack was analyzed in academic work at institutions such as Carnegie Mellon University, MIT, Stanford University and University of California, Berkeley; early practical demonstrations were discussed at conferences such as DEF CON, Black Hat (conference), USENIX and RSA Conference. Notable incidents and mitigations involved companies including Facebook, Twitter, eBay, PayPal, Google LLC and advisories published by CERT Coordination Center and vendors like Microsoft. Industry responses spawned features and standards from IETF, W3C, browser vendors Google LLC, Mozilla Foundation, Apple Inc. and server projects such as Apache Software Foundation and NGINX, Inc. that have significantly reduced exploitation in modern deployments.

Category:Computer security