[PCI DSS 3.0] 6.5.9 Cross-site request forgery (CSRF)

6.5.9 Cross-site request forgery (CSRF)

6.5.9 Examine software development policies and procedures and interview responsible personnel to verify that cross-site request forgery (CSRF) is addressed by coding techniques that ensure applications do not rely on authorization credentials and tokens automatically submitted by browsers.

A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then enables the attacker to perform any state-changing operations the victim is authorized to perform (such as updating account details, making purchases, or even authenticating to the application).