Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
A Cross Site Request Forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are most serious with financial web-sites. The authors recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user's intention. They propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks.