Shawndouglas: Added further reading

2016-08-10T22:33:56Z

Added further reading

← Older revision		Revision as of 22:33, 10 August 2016
Line 4:		Line 4:

	===To prevent this type of attack===		===To prevent this type of attack===
	* Include a hidden form field with a random token bound to the user’s session (and preferably the action to be performed), and check this token in the response		* Include a hidden form field with a random token bound to the user’s session (and preferably the action to be performed), and check this token in the response.
	* Make sure the token is non-predictable and cannot be obtained by the attacker		* Make sure the token is non-predictable and cannot be obtained by the attacker.
	** do not include it in files the attacker could load into his site using <code><nowiki><script></nowiki></code> tags		** Do not include it in files the attacker could load into his site using <code><nowiki><script></nowiki></code> tags.
	* Referer checks are not secure, but can be used as an additional measure		* Referer checks are not secure, but can be used as an additional measure.

	===Rationale===		===Rationale===
Line 13:		Line 13:

	Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript.		Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript.

			==Further reading==
			* [[wikipedia:Cross-site request forgery\|Cross-site request forgery]]

	==Notes==		==Notes==
	The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Cross-site_request_forgery_(CSRF) the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.		The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Cross-site_request_forgery_(CSRF) the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

Shawndouglas: Created as needed.

2016-08-10T21:05:19Z

Created as needed.

New page

{{TOC right}}
==Cross-site request forgery (CSRF)==
Cross-site request forgery occurs if a third-party web site causes the browser of the logged-in user to make a request to your service. With GET forms, this can be done using IFRAMEs or IMG tags. With POST forms, this is possible using a FORM element with the action attribute pointed to your site, possibly submitted using JavaScript. Both methods require no user interaction. The browser automatically submits the session cookie of the user. This can allow an attacker to trigger unwanted action with the permissions of the logged-in user.

===To prevent this type of attack===
* Include a hidden form field with a random token bound to the user’s session (and preferably the action to be performed), and check this token in the response
* Make sure the token is non-predictable and cannot be obtained by the attacker
** do not include it in files the attacker could load into his site using <code><nowiki><script></nowiki></code> tags
* Referer checks are not secure, but can be used as an additional measure

===Rationale===
CSRF attacks allow attackers to abuse existing user sessions. The same-origin-policy of web browsers prevents the attacking web site to read the content (and thus the token) of the targeted site. As the token is bound to the session, the attacker cannot gain the token by simply visiting the web site himself. The token needs to be non-predictable (secure randomness), as otherwise the attacker could simply guess it.

Referer checks are unreliable, as some user agents do not send the header and some personal firewalls filter or falsify it for privacy reasons. Additionally the attacker can avoid sending a Referer, for example (tested with IE8 and Firefox 6) simply by setting window.location using JavaScript.

==Notes==
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Cross-site_request_forgery_(CSRF) the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

LII:Web Application Security Guide/Cross-site request forgery (CSRF) - Revision history

Shawndouglas: Added further reading

Shawndouglas: Created as needed.