What Makes a Web Application Vulnerable?

Your application is vulnerable to CSRF (Cross-Site Request Forgery (CSRF or XSRF), an URL Command Attack, or Session Riding) if you answer yes to all of the following questions:
• Does your application have a predictable control structure? It is extremely rare that a web application will use a URL structure that is not highly predictable across users. This is not a flaw by itself; there is little valid engineering benefit to using overly complex or randomized URLs for user interaction.
• Does your application use cookies or integrated browser authentication?
The accepted best practice for web application developers has been to utilize properly scoped, unguessable cookies to authenticate that each request has come from a valid user. This is still a smart practice, but the fact that browsers automatically attach cookies in their cache to almost any cross-domain request enables CSRF attacks unless another authentication mechanism is used. Browser authentication mechanisms such as HTTP Auth, integrated Windows Authentication, and Client Certificate authentication are automatically employed on cross-domain requests as well, providing no protection against CSRF. Long session timeouts are also an issue that expose applications to CSRF, as a user can login in once and stay logged in for many days/weeks (allowing CSRF attacks to target application that allow long session timeouts).