Back to Web Security

Cross-Site Request Forgery (CSRF)

5 minutes 5 Questions

Cross-Site Request Forgery (CSRF) is a web security vulnerability that forces a user's browser to perform unwanted actions on a web application in which they are authenticated. CSRF attacks exploit the trust that web applications have for authenticated users and can result in unauthorized data modi…

Test mode:
Start practice test
CompTIA Security+ - Cross-Site Request Forgery (CSRF) Example Questions

Test your knowledge of Cross-Site Request Forgery (CSRF)

Question 1

A company has implemented a password reset form that includes a secret question and answer as part of the process. An attacker can reset a victim's password by submitting a CSRF attack with a forged password reset request. What method can the developer use to prevent this attack?

Correct Answer: Implement a CSRF token check

Implementing a CSRF token check prevents attackers from forging requests by requiring a valid token for each request. Limiting the number of password resets, checking the IP address or user agent, hashing the secret question and answer, or decreasing session timeout do not address the CSRF vulnerability directly.

Question 2

An e-commerce website allows users to view their order history. After logging in, a user can access the order history page by clicking the "viewOrder?id=xxx" link. An attacker sends a victim an email with an image element pointing to the "viewOrder?id=yyy" URL. How can the developer mitigate this potential CSRF attack?

Correct Answer: Implement SameSite attribute to cookies

By setting the SameSite attribute to cookies, the server can inform the browser to prevent cookies from being used across different domains. Improving the website UI, creating a random number generator, clearing the cache, using rate limiting, and utilizing a firewall do not directly mitigate CSRF in this scenario.

Question 3

A social media website's "like" feature uses a link in the following format: "like.php?post_id=123456". An attacker sends a link to the victim's email with the same URL format to trick the user into liking a malicious post. What measure can the developer implement to prevent abuse of this "like" feature?

Correct Answer: Add a CSRF token to the URL

Adding a CSRF token to the URL allows the server to verify the authenticity of the request and makes it difficult for an attacker to forge requests. Using AJAX, JavaScript validation, changing the URL structure, or increasing the session timeout do not mitigate the CSRF attack in this scenario. Switching to HTTP GET is incorrect since the "like" feature is already using the GET method.

More Cross-Site Request Forgery (CSRF) questions
2 questions (total)
Start 2 question test