Cross-Site Request Forgery – All You Need to Know

Introduction to Cross-Site Request Forgery (CSRF)

The Cross-Site Request Forgery (CSRF) vulnerability category spent over 10 years in the OWASP Top 10 (until the 2017 release), yet a large percentage of the development community still doesn’t understand the risk. Our team conducts hundreds of security assessments per year, and the results still show a high percentage of applications that do not have CSRF protection.

Before we define CSRF, let’s address the first question our customers ask. If CSRF is no longer in the OWASP Top 10, do I need to worry about it? Basic threat modeling can help answer the question. Start with this question: Do any of my web applications use cookie-based authentication? If the answer is no, then see your way out here. Unfortunately for most of us, our legacy and model-view-controller (MVC) applications use cookie-based authentication. If you fall into this group, then you have to address CSRF. The main reason CSRF was removed from the OWASP Top 10 is because modern frameworks, such as Spring Boot, .NET MVC / Core, and NodeJS, provide built in protection to prevent CSRF attacks. But, do you know if the CSRF feature is actually enabled and properly configured for all endpoints? Most security teams do not know the answer to this question, which is why you still need to worry about CSRF. Misconfiguration errors in these frameworks now lead to most of the CSRF vulnerabilities identified in our assessments.

About

Cypress Data Defense was founded in 2013 and is headquartered in Denver, Colorado with offices across the United States. Our goal is to help organizations secure their IT development and operations using a pragmatic, risk-based approach. The diverse background of our founders allows us to apply security controls to governance, networks, and applications across the enterprise.

Latest Posts

How to Integrate Security Into a DevOps Cycle

However, DevOps processes aren't restricted to…

Secure SDLC and Best Practices for Outsourcing

A secure software development life cycle (SDLC…

10 Best Practices for Application Security in the Cloud

According to Gartner, the global cloud market will…

Contact

Cypress Data Defense

PO Box 745224

Arvada, CO 80006


PH: 720.588.8133

FX: 720.388.1016


Email: info@cypressdatadefense.com


Social

© Cypress Data Defense, LLC | 2018 - All Rights Reserved