F5 GLOSSARY

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a web-based attack method exploiting vulnerabilities in web applications. The term CSRF can also refer directly to the vulnerability itself.

When a web application has a CSRF vulnerability, attackers can trick legitimate users into invoking unintended actions on the vulnerable site without the users' explicit consent. Potential impacts include unauthorized operations such as modifying user data, accidentally deleting or altering data, executing fraudulent transactions, or initiating unauthorized actions within the targeted application.

A typical CSRF attack proceeds in the following manner:

  1. The attacker entices users of a targeted application to visit a malicious web page specifically crafted for the attack.
  2. Once the victim accesses this malicious page, the attacker triggers unauthorized POST requests to the vulnerable application (in certain cases, visiting the web page alone may trigger the malicious request without further user interaction).
  1. The targeted application processes the unauthorized POST request, performing unintended actions on behalf of the authenticated user.

To mitigate CSRF attacks, applications must validate the legitimacy of incoming POST requests. One widely adopted approach is implementing tokens known as "nonce" values ("number used once"). A nonce is a unique, randomly-generated identifier embedded within legitimate HTTP forms in response to user requests. Upon receiving subsequent POST submissions, the application verifies the nonce to confirm the authenticity and integrity of the request.

When sending forms in response to legitimate GET requests, the server includes a unique, unpredictable nonce value. Upon receiving the corresponding POST request from the client, the application checks the nonce to confirm the authenticity and legitimacy of the request.

Additionally, security solutions such as Web Application Firewalls (WAFs) provided by F5 BIG-IP Application Security Manager are highly effective in identifying and blocking malicious requests to prevent CSRF vulnerabilities from being exploited.