Reduce Risk of Exposure to CSRF or XSRF attacks?

Cross site request forgery (CSRF or XSRF) exploits take advantage of websites’ trust in your browser. When you are logged into a website, an attacker can send a request to that site while pretending to be you—even if you’re not actively using the site. For example, while you’re logged into a message board or social media account, the attacker could send a request to post a virus download link as if it came from you. While you’re logged into your online banking account, an attacker could request to transfer money from your account into the attacker’s account.

The most common ways for an attacker to make these attacks is with HTML in an email that you view or JavaScript in an email or website that you view.

Unfortunately, you cannot fully protect yourself against all CSRF attacks—those protections must be implemented by the websites and applications that you use. However, you can substantially reduce your risk of exposure to CSRF attacks by following these web security best practices.

These security practices are based on recommendations from the Open Web Application Security Project (OWASP) Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet:

  • Always log out of websites as soon as you are done using them, particularly any site that sends or receives payments or stores sensitive information.
  • Never open email messages with attachments when you do not recognize the sender.
  • Never open attachments that don’t seem trustworthy or that you did not request.
  • Be suspicious of mass email messages that contain links, pictures, or attachments, even if they are from people you know.
    Email accounts can be compromised by a virus.
  • Always keep your web browser up to date.
    Never use a browser that is no longer being updated by the developer. New security vulnerabilities are found regularly, and browsers must release regular updates to combat them.
  • Do not allow your web browser to save any passwords or other login information.
  • Do not allow your web browser to save your personal or financial information and fill out web forms with it.
  • Do not allow any websites, particularly banking or shopping websites, to remember your personal information, including login information.
    Websites use cookies to remember you, and those stored cookies put you at risk for CSRF attacks.
  • Clear your web browsing data and cookies regularly, preferably after each browsing session.
    Many browser extensions, such as Click & Clean, can do this automatically when you close the browser. The Click & Clean extension is available for both Firefox and Chrome.
  • Use a browser extension such as NoScript (only available for Firefox), which blocks the execution of JavaScript on websites that are not on your list of trusted sites.
    JavaScript is the tool used in most CSRF exploits to execute commands without your knowledge.

JavaScript is essential for many webpages to function as intended, so NoScript will affect your browsing experience. However, it is a useful tool for reducing your risk of CSRF, cross-site scripting (XSS) and other common web exploits.

  • Use two different web browsers: one for accessing sensitive information, such as shopping or banking details, and one for freely browsing the web.
    For example, consider using Firefox, which has NoScript and Click & Clean, for online banking, email, and shopping, and using a different browser, such as Chrome or Safari, for regular web browsing.

For more information about CSRF, see page 12 of The Ten Most Critical Web Application Security Risks from OWASP.

For more information about computer and web security, see the United States Computer Emergency Readiness Team (US-CERT) article on Securing Your Web Browser.

This entry was posted in New Technical. Bookmark the permalink.

Leave a Reply