What is Cross-site request forgery or CSRF/XSRF ?

Cross-site request forgery CSRF / XSRF : CSRF is a security threat which was available on many crucial websites like banks, government etc. It allows the unauthorized user to make requests to the application, without the knowledge of actual user. Let’s get in detail.

Cross-site request- forgery-Nibodha-Preferred-Vacation-Rental-Technology-Partner-CSRF-XSRF

When do CSRF happens?

Cross-site request- forgery-Nibodha-Preferred-Vacation-Rental-Technology-Partner-CSRF-XSRF

Let’s take a scenario, the user logs into his bank account from a browser, then before logging out, the user browses other sites (some evil sites) on another tab on the same browser. Then the evil site might have some links or java scripts running, which will make a request to the bank site to transfer money to evil users account. CSRF exploits the trust that a site had on user’s browser.

How to prevent this?

Most common method to handle is Synchronizer token pattern, even though there are multiple other mechanisms. As per the Synchronizer token pattern method, we will be using a unique secret token, which will be generated and send from the client to server by embedding it on the HTML form and is verified on the server side. There are different methods for creating tokens, like hashing. The evil user will not be able to place the token on the request.

CSRF / XSRF token mismatch Issue : As we said if the user  token send from the client to server is not successfully verified, then It will throw a 500 Internal Server Error message CSRF/XSRF token mismatch.

CSRF / XSRF token mismatch Issue on clustered environment : When we are having multiple application servers running in parallel with load balancer, then the load balancer might send the requests to different application servers for each request, because of that the token will get miss matched. For solving this issue, We can use Sticky Session(session affinity), which will bind a user’s session to one specific application server, so that it will not have a token miss match.

Cross-site request- forgery-Nibodha-Preferred-Vacation-Rental-Technology-Partner-CSRF-XSRF

For more details

Visit :

Wiki and Sticky Session

Image Credits:  Grasshopper.com, blog.iyog


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s