As we've done in recent months (here and here), we are going to dive into a fairly common attack and understand how it happens and most importantly what you can do to stop it. The attack du jour is called Cross-site Request Forgery (CSRF) and it may be the most sophisticated attack out there -- and also the hardest to detect and defend against.

A key similarity that CSRF has with cross-site scripting is the attack targets the user, not necessarily your web site. So you could, in effect, be the carrier for this attack, compromising both your visitors, as well as other high profile sites.

What is CSRF? How does it happen?

CSRF is a pretty ingenious attack. Basically, the attacker embeds malicious code onto a web site (via images, HTML or JavaScript), and when the user renders the page (and presumably executes the malicious code), a request on behalf of the user (inheriting his/her identity and privileges) is sent to a third site, but unbeknownst to the user. The third site has no idea the request is not legitimate (since it comes from a verified identity with a legitimate credential), so it honors the request -- which is usually bad for the user.

In the example of the highest profile CSRF attack to date, Gmail was targeted. The attack basically was embedded into many web sites, which then would request that Gmail add a filter to forward a copy of all mail to the attacker's email address. Yes, the user had no idea that they actually authorized Google to send all their mail to the attacker.

The only way folks realized this was to peruse their list of filters and look for something suspicious. If you have a ton of filters, like I do, that's kind of hard -- so it's not surprising that some of the best security folks I know got nailed from this attack.