Network and application firewalls for cloud-connected organizations
Network firewall with SD-WAN for distributed networks.
Makes web browsing safe and preserves bandwidth.
Protect websites and applications from cyber-threats.
Protect every web app, hosted anywhere, in minutes.
Ensure website and application performance and reliability.
Free scanner checks your website for potential vulnerabilities.
Make email safe for business with comprehensive protection of users, data, and your brand.
All-in-one email security, backup, and archiving service.
A.I.-based protection from spear phishing and email fraud.
Anti-phishing training and simulation platform.
Cloud-connected email security appliance.
Solutions for data retention, compliance, and eDiscovery
Locate, migrate, and eliminate Microsoft Outlook PST files.
Free tool to find threats already sitting in your inbox.
Cloud-integrated protection for business-critical data wherever it resides.
Add cloud-based backup and recovery to your Office 365. Protects emails and files from accidental and malicious data loss.
Barracuda's physical and virtual appliance solutions allow for fast deployment to on-premises and remote locations.
Barracuda's cloud-based security services reduce up-front costs and setup time.
Protect your websites, applications and data running in AWS with support for the AWS Shared Security Model. Metered billing and BYOL available.
Deploy Barracuda security solutions natively on Microsoft Azure. We support Azure best practices to cut deployment time.
Barracuda released the industry's first network firewall for GCP. Protect both on-premises and GCP assets from a single console.
Protect patient data, ensure access to health records, and defend against cyber threats.
Don't let your ecommerce site or POS fall victim to attacks or data theft. Ensure reliable connectivity for retail locations.
The financial services industry is a target by hackers looking to steal data and disrupt websites.
Barracuda products help your school achieve CIPA compliance and ensure a safe learning environment for students.
Government agencies rely on Barracuda for data protection and network security.
Barracuda manufactures all products in the United States and makes them available for purchase under GSA contracts.
Migrating your email to Office 365 raises a new set of security and network access challenges. Barracuda can help make the cloud safe for business.
Email compliance regulations and legal holds often require capabilities beyond the built-in features of Office 365.
Even with the best security and archiving tools, it is possible for the important email to be accidentally or maliciously deleted. Barracuda adds full backup and recovery of every Office 365 email using the secure Barracuda cloud.
Check out the current threat landscape based on millions of data points collected by Barracuda.
Protect all your threat vectors from zero-hour attacks with full sandboxing.Available for Cloud Generation Firewalls and Email Security solutions.
Detect, prevent, and recover from ransomware attacks.
If you do business in the European Union, Barracuda can help you achieve and maintain GDPR compliance.
Barracuda’s team of Support Engineers delivers award-winning support for Barracuda products
Search for solutions to common problems.
Ask questions and share your knowledge with other Barracuda users.
Enroll in training classes that cover Barracuda products.
Browse and download product documentation.
Search the A to Z of cyber-security, email and networking terms.
Learn how Barracuda protects your data in our cloud data centers.
Tech alerts provide complete transparency regarding technical and security issues.
Cross-Site Request Forgery, often abbreviated as CSRF, is a possible attack that can occur when a malicious website, blog, email message, instant message, or web application causes a user’s web browser to perform an undesired action on a trusted site at which the user is currently authenticated. The impact of a CSRF attack is determined by the capabilities exposed within the vulnerable application. CSRF attacks are, on the most basic level, used by an attacker to make a target system perform any available and malicious function via the target's browser without knowledge of the target user. This function usually is not known by the victim until after it has occurred as well.
A CSRF vulnerability can give an attacker the ability to force an authenticated, logged-in user to perform an important action without their consent or knowledge. It is the digital equivalent to someone forging the signature of a victim on an important document. It is in fact more effective, because the attacker leaves no trace of evidence behind. This is because the forged request contains all of the information and comes from the same IP address as a real request from the victim. This means that any application that allows a user to send or update data is a possible target for an attacker.
One important thing to remember is that for CSRF to work, the victim has to be logged in the targeted site. While this may feel like an impedance to the attacker, many websites let the user choose to “keep me logged in”. This greatly increases the size of the timeframe in which a forgery can be made.
The most common goal of a CSRF is theft—either data theft, identity theft, or financial theft. Some common uses of CSRF include:
There are two main methods by which Cross-site Request Forgery may be prevented.
The Same-Site Cookie attribute is a newly developed attribute that can be set on cookies to instruct the browser to disable third-party usage for specific cookies. This attribute is set by the server while at the same time setting the cookie itself, and requests the browser to only send the cookie in a first-party context. Because of this, the request has to originate from the same location. Therefore, requests made by third-party sites can not include the same-site Cookie. This effectively eliminates CSRF without requiring the use of synchronizer tokens. The only downside is that Same-Site Cookies are only available in some modern browsers.
The recommended and most widely adopted prevention method for Cross-site Request Forgery is an anti-CSRF token, otherwise known as a synchronizer token. When a user submits information or interacts with the site, or does anything else that generates a cookie, the anti-CSRF token should also be included with the cookie request. This request then gets run through a verification process, wherein the authenticity or even existence of this token is verified before processing the request. If the token is missing or incorrect, the request can be rejected.
To insure quality of protection with Anti-CSRF tokens, it is essential that the library of known tokens is regularly updated to match existing threats. Many of these libraries are open source and easily accessed. In a perfect world, both methods would be combined to help defend against a CSRF attack.
As an additional layer of protection, you can require a challenge response from a user when a form is submitted. Some examples of challenge responses include:
While challenge-response can be an effective deterrent against CSRF when designed and implemented accordingly, it does have an impact on user experience. For applications in need of high security, both tokens and challenge-response should be used to ensure security.
CSRF attacks can be used on a huge array of sites. If a site allows data to be altered on the user side, then it is a potential target for an attacker. With some of the fixes listed, above, your website can guarantee a much higher level of security. on a wide-range of sites. Any site where data can be altered is a potential target.
The Impact of a successful CSRF attack can vary greatly depending on the privileges of the victim. If the target is a basic user, everything from their personal information to site privileges can be compromised. While that sounds bad, if an administrator account is compromised, an attack can cripple the entire site. This shows the scale of a possible attack and why CSRF protection is an essential part of any web security package.
The Barracuda Web Application Firewall automatically protects your website and we applications from CSRF attacks along with thousands of other cyber-threats including OWASP Top 10 threats. If you do not yet have a web application firewall, you can request a free trial from Barracuda. You can also use the Barracuda Vulnerability Manager to do a free scan of your website to check if it vulnerable to a CSRF attack.
In addition to providing firewall-based protection, Barracuda also offers CSRF protection in our Barracuda Load Balancer ADC product. The load balancer is a secure Application Delivery Controller designed to ensure website availability, acceleration, and control. Automatic updates ensure comprehensive security for existing and emerging Layer 7 threats such as Cross-site Scripting, SQL injections, and Cross-site Request Forgery.
Do you have more questions about Cross Site Request Forgery? Contact us today.
Call +1 888 268 4772