Difference between revisions of "LII:Web Application Security Guide/Cross-site request forgery (CSRF)"

From LIMSWiki
Jump to navigationJump to search
(Created as needed.)
 
m (Added further reading)
 
Line 4: Line 4:


===To prevent this type of attack===
===To prevent this type of attack===
* Include a hidden form field with a random token bound to the user’s session (and preferably the action to be performed), and check this token in the response
* Include a hidden form field with a random token bound to the user’s session (and preferably the action to be performed), and check this token in the response.
* Make sure the token is non-predictable and cannot be obtained by the attacker
* Make sure the token is non-predictable and cannot be obtained by the attacker.
** do not include it in files the attacker could load into his site using <code><nowiki><script></nowiki></code> tags
** Do not include it in files the attacker could load into his site using <code><nowiki><script></nowiki></code> tags.
* Referer checks are not secure, but can be used as an additional measure
* Referer checks are not secure, but can be used as an additional measure.


===Rationale===
===Rationale===
Line 13: Line 13:


Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript.  
Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript.  
==Further reading==
* [[wikipedia:Cross-site request forgery|Cross-site request forgery]]


==Notes==
==Notes==
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Cross-site_request_forgery_(CSRF) the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Cross-site_request_forgery_(CSRF) the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

Latest revision as of 22:33, 10 August 2016

Cross-site request forgery (CSRF)

Cross-site request forgery occurs if a third-party web site causes the browser of the logged-in user to make a request to your service. With GET forms, this can be done using IFRAMEs or IMG tags. With POST forms, this is possible using a FORM element with the action attribute pointed to your site, possibly submitted using JavaScript. Both methods require no user interaction. The browser automatically submits the session cookie of the user. This can allow an attacker to trigger unwanted action with the permissions of the logged-in user.

To prevent this type of attack

  • Include a hidden form field with a random token bound to the user’s session (and preferably the action to be performed), and check this token in the response.
  • Make sure the token is non-predictable and cannot be obtained by the attacker.
    • Do not include it in files the attacker could load into his site using <script> tags.
  • Referer checks are not secure, but can be used as an additional measure.

Rationale

CSRF attacks allow attackers to abuse existing user sessions. The same-origin-policy of web browsers prevents the attacking web site to read the content (and thus the token) of the targeted site. As the token is bound to the session, the attacker cannot gain the token by simply visiting the web site himself. The token needs to be non-predictable (secure randomness), as otherwise the attacker could simply guess it.

Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript.

Further reading

Notes

The original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.