You are a security analyst for a large e-commerce company. You notice that a significant number of users are complaining about unauthorized transactions on their accounts.

After investigating, you suspect that the site might be a victim of a Cross-Site Request Forgery (CSRF) attack.

Which of the following actions should you take next?

answer

Advise users to change their passwords immediately.


Implement a CSRF token in your web application's forms.


Ignore the complaints as false positives since the transactions are coming from the users' IP addresses.


Implement CAPTCHA on all transaction pages to prevent automated attacks.

Implement a CSRF token in your web application's forms.

Reason: CSRF attacks exploit authenticated users' browsers to perform state-changing actions without their intent. Anti-CSRF tokens (or other server-side CSRF mitigations like SameSite cookies, Origin/Referer checks, and requiring re-authentication for sensitive actions) are the correct technical defense.

Why the other choices are wrong or insufficient:
- Advising users to change passwords: not helpful for CSRF because the attacker is using the victims' existing authenticated sessions—changing passwords alone doesn't stop requests sent by a logged-in browser unless you also invalidate sessions.
- Ignoring complaints: dangerous and incorrect.
- CAPTCHA on transaction pages: CAPTCHA targets automated bots, not CSRF driven by a victim's browser; it’s not an appropriate primary CSRF mitigation.

Immediate next steps you should take while you implement fixes:
- Verify and reproduce the issue, review logs to confirm CSRF indicators.
- Add anti-CSRF tokens to all state-changing endpoints (POST/PUT/DELETE).
- Set cookie SameSite attributes and require re-authentication for high-value transactions.
- Invalidate active sessions/tokens if appropriate, notify affected users, and continue monitoring.