Versions Compared

Version Old Version 9 New Version 10
Changes made by

Neil Matatall

Neil Matatall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Webcast from the makers of AppScan (7 minutes long)

From Wikipedia"

Cross-site request forgery, also known as one-click attack, sidejacking or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Contrary to cross-site scripting(XSS), which exploits the trust a user has for a particular site, cross-site request forgery exploits the trust that a site has for a particular user.

...

CSRF is VERY dangerous.  A hacker can pretty much assume the identity of a user by using the victims own browser and actions.  It exploits your trust in the same-origin policy.  A very simple description of the same-origin policy says that script from another site cannot access the contents of a page and more importantly, requests to a server can only pass cookies from the same host.  For example, everytime you make a request to a "uci.edu" web page, all "uci.edu" cookies will be sent along with the request.  This is where the vulnerability actually lies: triggering an inadvertant request which in turn inadvertantly sends all cookies (containing authentication values) and causes the server to think it is a legitimate request.

...

There are ways of preventing this attack and some are more thorough than others.  The best strategy is to implement all three, but usually one is "good enough".

Use a Secondary Authentication Mechanism (Preferred)

Send a securely randomly generated token with each request and require this token for the next request and then throw it away.   This is the most effective, yet difficult to code, method.

"Double Cookie Submission"

The CSRF attack works by subverting what the browser will do with the cookie.  Ideally, your cookies would be totally unavailable to anyone outside of your domain. This attack works because XMLHttpRequest in some page can use the cookies of some foreign domain when posting to that foreign domain. However the script can not read the cookie directly due to the cross-domain rules, so a slight modification of the hidden field solution is to read the session cookie using JavaScript and then adding to URLs, forms or the body of a POST request, and then checking in the server that the session cookie value that the browser sends in the header (which is subvertable) is the same as the session cookie in the request (this is not subvertable in the same way).

 From CSRF Attacks or How to avoid exposing your GMail contacts.  This is a newer concept and is not in wide use.

Reject non-POST Requests

...