Cross-site request forgery, or CSRF, takes advantage of a user’s authenticated browser state to make requests on their behalf from a malicious website. For request handlers that do not require an additional piece of authenticating information (e.g. a CSRF token) this could lead to the unauthorized modification of a user’s data or settings.
On GitHub.com, we utilize Rails’ Authenticity Token to protect against CSRF attacks. All state changing requests require validation of this parameter, which is sent via an HTTP header or POST parameter.
More about CSRF vulnerabilities from OWASP’s Top 10:
CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.
|1||1000 pts Abss CSRF in opting out of organization invites|
|2||800 pts Ben Holden-Crowther CSRF in Gist abuse reporting|
|3||1000 pts Lukas Reschke CSRF on import function|
|4||1000 pts @ealf Incorrect URL origin parsing in Safari|
|5||500 pts Antonio Sanso Authorized OAuth application scope removal CSRF|