Which of the following is the BEST way to prevent Cross-Site Request Forgery (XSRF) attacks?
A.
Check the referrer field in the HTTP header
B.
Disable Flash content
C.
Use only cookies for authentication
D.
Use only HTTPS URLs
Explanation:
XSRF or cross-site request forgery applies to web applications and is an attack that exploits the web
application’s trust of a user who known or is supposed to have been authenticated. This is accomplished
by changing values in the HTTP header and even in the user’s cookie to falsify access. It can be prevented
by embedding additional authentication data into requests that allows the web application to detect
requests from unauthorized locations. Examples are synchronizer token patterns, cookie-to-header
tokens, and checking the HTTP Referrer header and the HTTP Origin header.
Incorrect Answers:
B: Flash content is not used on Cross-Site Request Forgery (XSRF) attacks. Disabling flash content would
thus not prevent Cross-Site Request Forgery (XSRF) attacks.
C: Cookies are plain-text files that a browser stores on a user’s hard disk to provide a persistent,
customized web experience for each visit to a web site. It typically contains information about the user
but is not used for authentication.
D: HTTP Secure (HTTPS) combines HTTP with SSL/TLS to provide encrypted communication. This does not
prevent XSRF.http://en.wikipedia.org/wiki/Cross-site_request_forgery
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 75, 335, 339, 340-341