Monday, October 19, 2009

CSRF

CSRF (Cross-site request forgery) vulnerability is pretty straightforward way how attacker can cheat your web application.

First of all you should protect your application against the XSS attacks. On top of that, good practice is to secure session cookie (and other important cookies not needed by your javascript) by HttpOnly technique which will hide such cookie from javascript access and then also before potential abuse.

CSRF kind of attack is possible if web application completely rely only on user identification provided by cookies (session cookie, remember-me cookie). Each request needs to be additionally checked for origin to prevent it.

  • check for Referrer HTTP header
  • double cookie submit - introduce generated cookie, submit it which each request and check the equality on the server (you can automate it by javascript reading the cookie value and generate hidden field into each form)
  • similar to the previous is to generate such magic token on server and check equality with value in each secured request

Usually it is not possible for attacker to read output of request (because of 'same origin policy') but be aware that it doesn't need to be true for JSON responses.