Cross Site Request Forgery(CSRF)

My boss asked me to start testing our web application for web exploits. So I have been doing a lot of reading and code review lately. It is like a dream come true. But, this morning I learned AJAX so that I could do CSRF post requests via XSS. It seems to be a pretty sweet attack. CSRF is basically just tricking a user into visiting a malicious link, page controlled by the attacker, or page with a XSS vulnerability. The attacker then uses one of those methods to execute a GET or POST request against a site that the victim is currently logged into. To the authenticated site it will appear as if the request came from the victim. The request may be a simple as having the victim click a link such as https://victimsite.com/purchase.php?item=tv&quantity=100. The attacker could also use AJAX to execute the request with code like this:

var req;
var url = "https://victimsite.com/purchase.php";
var params = "item=tv&quantity=100";
try {
req = new XMLHttpRequest();
}
catch (e3) { document.write("error") }

req.open('POST', url , true);
req.send(params);

The above AJAX code would be placed on site with an XSS vulnerability and would be used against a site that uses post instead of a simple get request.

Mitigation:

Require a unique session variable to appended to each request. It also helps to use POST instead of GET.(This only makes it harder not impossible.)

On a side not Firefox claims to stop any AJAX code that makes a POST/GET request to any page that is not the parent page.