A Cross-site request forgery (CSRF), although similar-sounding in name to cross-site scripting (XSS), is a very different and almost opposite form of attack. Whereas cross-site scripting exploits the trust a user has in a Web site, a cross-site request forgery exploits the trust a Web site has in a user by forging the enactor and making a request appear to come from a trusted site user; this is sometimes called session riding. These attacks are often less popular (so there are fewer resources available), more difficult to defend against than XSS attacks, and, therefore, more dangerous.

The following characteristics are common to CSRF:

• Exploit a site's trust in a user
• Involve sites that rely on a user's identity
• Trick a user to perform HTTP requests through a site

At risk Web applications are those that accept user input from trusted and authenticated users yet do not verify the location from which the data is coming. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and perform an unwanted action.

A classic example of an attack is to trick a user into making a request by placing a link in an image tag. The image tag doesn't know the link isn't to an image, so it makes the request anyway, also sending with it any cookie information provided by the user.

External links

• Foiling Cross-Site Attacks (http://shiflett.org/articles/foiling-cross-site-attacks)
• PHP Security Workbook (http://shiflett.org/php-security.pdf)
• Security tips for Web developers (http://www.squarefree.com/securitytips/web-developers.html)
• Session Riding (http://www.securenet.de/papers/Session_Riding.pdf)
• Concerns over the name "Session Riding" (http://shiflett.org/archive/90)