Cross Site Request Forgery.
According to Wikipedia, "Cross Site Request
forgery" known as a one-click attack or session riding and abbreviated as
CSRF or XSRF ,is a type of malicious exploit of a website whereby unauthorized
commands are transmitted from a user that the website trusts".
XSS is a vulnerability that exploits a user's trust he has
on his website/server.CSRF exploits the server's trust it has on the user.
CSRF vulnerability makes use of the fact that the website
doesn't verify whether the request is coming from a legitimate user or
not.Rather , it just checks if the request is coming from browser of an
authorized user.
Requirements for a CSRF attack to work .
1. The victm must be authenticated to the server.
Preventing CSRF vulnerabilities
1. Synchronize Token Patterns approach.
Synchronize Token Patterns approach will be discussed in
this blog post.Double submit cookies approach will be discussed in a future blog
post.
- Any state changing operation requires a secure random token
(e.g., CSRF token) to prevent CSRF attacks.
- CSRF Token value should be
- Unique per user session.
- A random value
- Generated by a cryptographically secure random number
generator.(MD5,sha1)
- The CSRF token is added as a hidden field for forms or
within the URL if the state changing operation occurs via a GET
- The server should
reject the requested action if the CSRF token fails validation.
I have implemented a small example to demonstrate the
Synchronize Token Patterns approach.
I used a hard coded user credentials for the demonstration purpose.
Upon login, I generated a session identifier and set as a
cookie in the browser.
At the same time the CSRF token will be generated and it
will save in the server side.
In the website, I have implemented an endpoint that accepts
HTTP POST requests and respond with the CSRF token.The endpoint receives the
session cookie and
based on the session identifier, return the CSRF token
value.
I have Implemented a web page that has a HTML form. The
method should be POST and action should be another URL in the website.
When this page loads,
an Ajax call will be executed via a javascript, which invokes the
endpoint for obtaining the CSRF token created for the session.
I have added a hidden field in the web page that has the
value of the received CSRF token.
Once the HTML form is submitted to the action, in the server
side,extract the
received CSRF token value and check if it is the correct
token issued for the particular session.obtain the session cookie and get the
corresponding CSRF token for the session and compare that with the received
token value. If the received CSRF token is valid, show success message. If not
show error message.
You can find the Source code from here.
- Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks.
- CSRF Token value should be
- Unique per user session.
- A random value
- Generated by a cryptographically secure random number generator.(MD5,sha1)
- The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET
- The server should reject the requested action if the CSRF token fails validation.
Upon login, I generated a session identifier and set as a
cookie in the browser.
At the same time the CSRF token will be generated and it
will save in the server side.
In the website, I have implemented an endpoint that accepts
HTTP POST requests and respond with the CSRF token.The endpoint receives the
session cookie and
No comments:
Post a Comment