Cross-Site Request Forgery – All You Need to Know

Introduction to Cross-Site Request Forgery (CSRF)

The Cross-Site Request Forgery (CSRF) vulnerability category spent over 10 years in the OWASP Top 10 (until the 2017 release), yet a large percentage of the development community still doesn’t understand the risk. Our team conducts hundreds of security assessments per year, and the results still show a high percentage of applications that do not have CSRF protection.

Before we define CSRF, let’s address the first question our customers ask. If CSRF is no longer in the OWASP Top 10, do I need to worry about it? Basic threat modeling can help answer the question. Start with this question: Do any of my web applications use cookie-based authentication? If the answer is no, then see your way out here. Unfortunately for most of us, our legacy and model-view-controller (MVC) applications use cookie-based authentication. If you fall into this group, then you have to address CSRF. The main reason CSRF was removed from the OWASP Top 10 is because modern frameworks, such as Spring Boot, .NET MVC / Core, and NodeJS, provide built in protection to prevent CSRF attacks. But, do you know if the CSRF feature is actually enabled and properly configured for all endpoints? Most security teams do not know the answer to this question, which is why you still need to worry about CSRF. Misconfiguration errors in these frameworks now lead to most of the CSRF vulnerabilities identified in our assessments.