Walker News

How To Prevent CSRF Attack?

According to Wikipedia, cross-site request forgery (CSRF) attack can hardly succeed as it’s limited by few constraints, but that doesn’t mean online users can ignore this threat or give chance to CSRF attempts.

As CSRF relies access to session cookie of online account to trigger attack, obviously you should avoid directly click or open hyperlink found in online account (Gmail, Facebook, Hotmail, etc), unless the hyperlink is referring to same or trusted domain (website).

If you’re tempted to surf the given linked content, copy its hyperlink and open it on different brand of web browser, i.e. if you’re accessing Gmail on IE9, copy the hyperlink in email to open it on Google Chrome, Firefox, or Opera web browser.
Why must using different brand of web browser? You should have noticed this:

After login Facebook using Firefox, then open a new Firefox window to access Facebook.com. The new window automatically displays Facebook profile without prompting for login / authentication. This happen because the new window inherits right to access session cookie of FB that is used by first window.

This session sharing feature is on by default on most modern web browsers (not limited to Firefox) but may be disabled using (3rd-party) browser addon/plugin or built-in option (e.g. Internet Explorer -nomerge option or Google Chrome Incognito window).

Therefore, it’s not necessary to install more than one web browser to mitigate CSRF risk, IF you certainly know the session sharing feature has been disabled AND there is no known or hidden (yet to be exploited or discovered) software flaw which allows different browser windows to access session cookie regardless the session sharing feature is explicitly disabled.

I guess using different brand of web browser is a safer play unless there is a serious system bug that even allows different brand of browsers to access each other session cookie (that’s disaster)!

Custom Search

2016  •  Privacy Policy