New Cross-Site Request Forgery Attacks
CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don’t verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will (unbeknownst to the user) send a request to a second site, and the second site will mistakenly think that the user authorized the request.
If a user visits an attacker’s website, the attacker can force the user’s browser to send a request to a page that performs a sensitive action on behalf of the user. The target website sees a request coming from an authenticated user and happily performs some action, whether it was invoked by the user or not. CSRF attacks have been confused with Cross-Site Scripting (XSS) attacks, but they are very different. A site completely protected from XSS is still vulnerable to CSRF attacks if no protections are taken.
Paper here.
Sparky • October 6, 2008 7:57 AM
Interesting how new attack vectors are still found every now and then.
Couldn’t this be fixed completely client-side, by having the browser tag the tabs that have been opened from a link on the authenticated site, and not send the authenticating information if the tab hasn’t been tagged? The tag should probably be erased as soon as the user types anything in the address bar, or follows a link to another domain (in other words, when the user is re-using the browser tab).