CISSP · Question #900
Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?
The correct answer is C. synchronized session tokens. CSRF attacks trick authenticated users into submitting malicious requests; synchronized session tokens are the standard defense by requiring a secret, unpredictable value that the attacker cannot forge.
Question
Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?
Options
- Aparameterized database queries
- Bwhitelist input values
- Csynchronized session tokens
- Duse strong ciphers
How the community answered
(47 responses)- A6% (3)
- B2% (1)
- C79% (37)
- D13% (6)
Why each option
CSRF attacks trick authenticated users into submitting malicious requests; synchronized session tokens are the standard defense by requiring a secret, unpredictable value that the attacker cannot forge.
Parameterized database queries prevent SQL injection attacks by separating code from data, but they have no bearing on whether the server can distinguish a legitimate user-initiated request from a forged cross-site one.
Whitelisting input values is a defense against input validation attacks such as XSS or command injection; it does not prevent CSRF because the forged request may contain entirely valid input values.
Synchronized (anti-CSRF) tokens work by embedding a unique, secret, per-session token in each form or request that the server validates before processing state-changing actions. Because the attacker's forged request originates from a different origin and cannot read the victim's session token (due to the same-origin policy), the malicious request will be rejected. This is the primary, purpose-built mitigation for CSRF attacks recommended by OWASP.
Using strong ciphers (TLS) protects data in transit from eavesdropping and man-in-the-middle attacks, but it does not help the server verify that an authenticated request was intentionally initiated by the legitimate user rather than forged by a malicious site.
Concept tested: CSRF prevention using synchronized anti-CSRF tokens
Source: https://owasp.org/www-community/attacks/csrf
Topics
Community Discussion
No community discussion yet for this question.