nerdexam
(ISC)2

CISSP · Question #900

Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?

The correct answer is C. synchronized session tokens. CSRF attacks trick authenticated users into submitting malicious requests; synchronized session tokens are the standard defense by requiring a secret, unpredictable value that the attacker cannot forge.

Submitted by minji_kr· Mar 5, 2026Software Development Security

Question

Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?

Options

  • Aparameterized database queries
  • Bwhitelist input values
  • Csynchronized session tokens
  • Duse strong ciphers

How the community answered

(47 responses)
  • A
    6% (3)
  • B
    2% (1)
  • C
    79% (37)
  • D
    13% (6)

Why each option

CSRF attacks trick authenticated users into submitting malicious requests; synchronized session tokens are the standard defense by requiring a secret, unpredictable value that the attacker cannot forge.

Aparameterized database queries

Parameterized database queries prevent SQL injection attacks by separating code from data, but they have no bearing on whether the server can distinguish a legitimate user-initiated request from a forged cross-site one.

Bwhitelist input values

Whitelisting input values is a defense against input validation attacks such as XSS or command injection; it does not prevent CSRF because the forged request may contain entirely valid input values.

Csynchronized session tokensCorrect

Synchronized (anti-CSRF) tokens work by embedding a unique, secret, per-session token in each form or request that the server validates before processing state-changing actions. Because the attacker's forged request originates from a different origin and cannot read the victim's session token (due to the same-origin policy), the malicious request will be rejected. This is the primary, purpose-built mitigation for CSRF attacks recommended by OWASP.

Duse strong ciphers

Using strong ciphers (TLS) protects data in transit from eavesdropping and man-in-the-middle attacks, but it does not help the server verify that an authenticated request was intentionally initiated by the legitimate user rather than forged by a malicious site.

Concept tested: CSRF prevention using synchronized anti-CSRF tokens

Source: https://owasp.org/www-community/attacks/csrf

Topics

#CSRF#Anti-CSRF token#Web application security#Session management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice