312-50V11 · Question #271
Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application?
The correct answer is D. The web application should not use random tokens.. CSRF attacks succeed when a web application fails to use unpredictable, per-session tokens to validate that state-changing requests were intentionally submitted by the authenticated user.
Question
Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application?
Options
- AThe victim user must open the malicious link with an Internet Explorer prior to version 8.
- BThe session cookies generated by the application do not have the HttpOnly flag set.
- CThe victim user must open the malicious link with a Firefox prior to version 3.
- DThe web application should not use random tokens.
How the community answered
(14 responses)- B14% (2)
- C7% (1)
- D79% (11)
Why each option
CSRF attacks succeed when a web application fails to use unpredictable, per-session tokens to validate that state-changing requests were intentionally submitted by the authenticated user.
CSRF is not limited to Internet Explorer or any specific browser version; any browser that automatically includes cookies with cross-origin requests is susceptible.
The HttpOnly flag prevents client-side scripts from accessing cookies to defend against XSS-based cookie theft, but it does not prevent the browser from automatically attaching cookies to forged cross-site requests.
CSRF vulnerability is not tied to Firefox or any particular browser version; the attack relies on the browser's standard behavior of sending cookies with all matching requests, regardless of origin.
The primary defense against CSRF is the inclusion of a unique, secret, unpredictable anti-CSRF token in every state-changing request, which the server validates. If the application does not use such random tokens, an attacker can craft a malicious request that the victim's browser will automatically send with valid session credentials, and the server has no way to distinguish it from a legitimate request. The absence of token validation is the core architectural condition that makes CSRF exploitation possible.
Concept tested: CSRF anti-token protection requirement
Source: https://owasp.org/www-community/attacks/csrf
Topics
Community Discussion
No community discussion yet for this question.