Preventing cross-site request forgery (CSRF)

Since I stumbled over a pretty good introduction to what CSRF is I figured it was worth a few lines.

First of all you need to understand what an attacker is trying to do when they do an CSRF attack. This is explained  in this video. The recommended way to prevent CSRF attacks is described here and is in essence implemented by storing a value in a session and then issue the same (or derived) value as part of the request.

This works great as long as we assume all web browsers are implemented correctly so that the attacker cannot get hold of the challenge needed in each request nor retrieve it through cookies if the value is stored there.

CSRF protection is very easy then the attacker is unsophisticated and just tries to exploit well known parameters to an API. For a more sophisticated attacker that tries to get hold of your session CSRF token protection can be harder as it ultimately relies on the browser to not allow an evil payload get access to the target content. However there are examples of where the same origin policy (SOP) have been bypassed because for example CDNs are used to distribute content and the cross domain configuration is not setup properly, typically because wild cards are being used.

And remember you should expect your web application framework of choice to have CSRF protection out of the box - no need to implement it yourself but remember that you still rely on your user's web browsers to be properly implemented.

No comments:

Post a Comment