Overview of methods for protecting Web-applications from CSRF vulnerabilities (Cross-Site Request Forgery)





CSRF-attack, Cross-Site Request Forgery, data protection, Web-application


The article presents a study of methods of protecting Web-applications from CSRF vulnerabilities (Cross-Site Request Forgery). The conducted research showed that Web-developers do not pay enough attention to protection against attacks such as Cross-Site Request Forgery, the authors systematized and proposed a complex of methods of protection against CSRF-attacks, and formed recommendations for Web-application developers to ensure comprehensive protection against CSRF-attacks. The authors suggest using a number of methods, which include: using a CSRF-token in the request body and in the HTTP-header, transferring data in an alternative form without using MIME-types of HTML-forms, checking the Referer header, using the SameSite attribute and confirming sensitive operations by the user.

The proposed methods will allow developers to create secure Web-applications that are invulnerable to CSRF-attacks.


Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core [Електронний ресурс]. – Режим доступу: https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-6.0

G. Pellegrino, M. Johns, S. Koch, M. Backes and C. Rossow. Deemon: Detecting CSRF with dynamic analysis and property graphs, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security CCS, 2017. – October 30 - November 03, 2017. – P. 1757-1771.

Likaj, Xhelal; Khodayari, Soheil; Pellegrino, Giancarlo. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. In: 24th International Symposium on Research in Attacks, Intrusions and Defenses. – 2021. – P. 370-385.

Peguero, Ksenia; Cheng, Xiuzhen. CSRF protection in JavaScript frameworks and the security of JavaScript applications. High-Confidence Computing – 2021. – P. 1.2: 100035.

Compagna, Luca, et al. A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence. In: 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE. – 2021. – P. 49-59.

National Vulnerability Database: CSRF statistics. [Електронний ресурс]. – Режим доступу: https://nvd.nist.gov/vuln/search/statistics?form_type=Advanced&results_type=statistics&query=CSRF&search_type=all

OWASP Cross Site Request Forgery (CSRF) [Електронний ресурс]. – Режим доступу: https://owasp.org/www-community/attacks/csrf

Reviewing Code for Cross-Site Request Forgery Issues [Електронний ресурс]. – Режим доступу: https://owasp.org/www-project-code-review-guide/reviewing-code-for-csrf-issues

Documentation for Web developers (Referer) [Електронний ресурс]. – Режим доступу: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

Documentation for Web developers (Cookies) [Електронний ресурс]. – Режим доступу: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

Cross-Site Request Forgery Prevention Cheat Sheet [Електронний ресурс]. – Режим доступу: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#user-interaction-based-csrf-defense