During a recent vulnerability scan of a company's web application, you identified a security risk that allows an attacker to trick users into performing actions they did not intend to perform on a web application where they are authenticated. Which of the following types of controls would be the most effective to recommend in order to mitigate this risk?
Increase the web application session timeout settings.
Require re-authentication for every transaction performed by the user.
Implementing an anti-CSRF token is the most effective control for mitigating cross-site request forgery attacks. It ensures that a unique, unpredictable value is associated with each user session (or request) and must be submitted with every state-changing request, so an attacker cannot forge a valid request. CAPTCHA focuses on distinguishing humans from bots and does not reliably stop CSRF. Re-authenticating the user before every action can help for highly sensitive operations but is impractical as a blanket solution and still relies on additional CSRF defenses. Increasing the session timeout does not prevent CSRF; in fact, a longer session window gives an attacker more time to exploit a forged request.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.