Preventing Cross-Site Request Forgery | OWASP Guidelines | Exam '400-251: CCIE Security Written Exam' | Cisco

OWASP Recommended Method to Prevent Cross-Site Request Forgery

Prev Question Next Question


According to OWASP guidelines, what is the recommended method to prevent cross-site request forgery?



Click on the arrows to vote for the correct answer

A. B. C. D. E.


According to OWASP (Open Web Application Security Project) guidelines, cross-site request forgery (CSRF) is a type of attack that occurs when a malicious website or web application causes a user's web browser to execute unwanted actions on a trusted website where the user is currently authenticated.

To prevent CSRF attacks, OWASP recommends the use of per-session challenge tokens in links within your web application. This is because, in a CSRF attack, the attacker tries to send a forged request from the victim's browser, and the victim's browser will automatically include any cookies associated with the target site, including session cookies, in the request.

By using per-session challenge tokens, the web application can add a unique token to each form or link that requires a user's interaction. This token is then verified on the server-side before any request is processed, ensuring that only legitimate requests are allowed.

Therefore, option C is the correct answer.

Option A, allowing only POST requests, is not a recommended solution as GET requests can also be vulnerable to CSRF attacks.

Option B, marking all cookies as HTTP only, is a good security practice, but it doesn't directly prevent CSRF attacks.

Option D, using the "secure" attribute for cookies, is used to ensure that cookies are only transmitted over an encrypted HTTPS connection, but it does not directly prevent CSRF attacks.

Option E, requiring strong passwords, is a good security practice, but it doesn't directly prevent CSRF attacks.