During a recent vulnerability scan of a company's web application, you identified a security risk that allows an attacker to trick users into performing actions they did not intend to perform on a web application where they are authenticated. Which of the following types of controls would be the most effective to recommend in order to mitigate this risk?
Implement an anti-CSRF token in the application.
Increase the web application session timeout settings.
Require re-authentication for every transaction performed by the user.
Implementing an anti-CSRF token is the most effective control for mitigating cross-site request forgery attacks. It ensures that a unique token is associated with every user session and must be submitted with every state-changing request, making it highly unlikely for an attacker to forge a valid request. Captcha is not as effective because it is typically used for different purposes like distinguishing human users from bots. Re-authentication before action addresses security concerns but would not specifically prevent CSRF attacks, and increased session timeout may actually increase the risk of CSRF by prolonging the window in which an attack can occur.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an anti-CSRF token and how does it work?
Open an interactive chat with Bash
What are CSRF attacks and why are they dangerous?
Open an interactive chat with Bash
What other methods can be combined with anti-CSRF tokens for better protection?