During a recent vulnerability scan of a company's web application, you identified a security risk that allows an attacker to trick users into performing actions they did not intend to perform on a web application where they are authenticated. Which of the following types of controls would be the most effective to recommend in order to mitigate this risk?
Implement an anti-CSRF token in the application.
Require re-authentication for every transaction performed by the user.
Increase the web application session timeout settings.
Implementing an anti-CSRF token is the most effective control for mitigating cross-site request forgery attacks. It ensures that a unique, unpredictable value is associated with each user session (or request) and must be submitted with every state-changing request, so an attacker cannot forge a valid request. CAPTCHA focuses on distinguishing humans from bots and does not reliably stop CSRF. Re-authenticating the user before every action can help for highly sensitive operations but is impractical as a blanket solution and still relies on additional CSRF defenses. Increasing the session timeout does not prevent CSRF; in fact, a longer session window gives an attacker more time to exploit a forged request.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.