Cross-site request forgery (CSRF), sometimes called one-click attacks or session riding, is a security vulnerability that targets the trust sites put into a browser. A CSRF attack will trick a victim into making a malicious request (such as changing the victim's email address, password, or even purchasing something). This request is granted based on the user's already authenticated credentials associated for the targeted site in the browser (session cookie, basic auth credentials, Windows domain credentials, etc).
According to The Open Web Application Security Project, the consequences can be serious especially if a system administrator is the target victim:
A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
Today, on TomcatExpert.com, Mark Thomas, SpringSource engineer and release manager for the Apache Tomcat 7 project, describes the new feature in an article on CSRF Protection. The new protection is turned on by default in Tomcat 7 on Apache Tomcat Manager and Apache Tomcat Host Manager.
Applications, such as Tomcat Manager, can protect themselves against these types of attacks by using a system of nonces, or tokens. Starting with the authentication request, the browser is sent a special token that must be provided with the next request. Each subsequent response provides a new token for the following request. In this case, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.
For applications running on Tomcat, there is also a new CSRF Prevention Filter. The filter is NOT turned on by default and users must enable their Tomcat instance to take advantage of the new filter. Thomas describes the filter and how to turn it on in the article:
The filter sends the token to the browser by modifying all of the URLs in the response for the links that the user can click on. In order to do that, it requires that the application encodes URLs in the response by a calling HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String).
Thomas, also a member of the Apache Security Committee, broadly recommends that for any application using authentication, developers and system administrators should consider providing CSRF protection. While other libraries exist for providing this protection as well, users should consider taking advantage of turning on this built-in protection in Tomcat 7.
For more details on the security vulnerability, implementation and considerations, check out Mark Thomas' full post.