” tabindex=”0″ role=”button” style=”box-sizing: border-box; position: relative; display: flex !important; padding: 0px !important; font-size: 14px; font-weight: var(–base-text-weight-medium, 500); line-height: 20px; white-space: nowrap; vertical-align: middle; cursor: pointer; user-select: none; border: 0px; border-radius: 6px; appearance: none; color: var(–fgColor-accent, var(–color-accent-fg)); background-color: transparent; box-shadow: none; transition: color 80ms cubic-bezier(0.33, 1, 0.68, 1) 0s, background-color, box-shadow, border-color; justify-content: center !important; align-items: center !important; margin: var(–base-size-8, 8px) !important; width: var(–control-small-size, 28px); height: var(–control-small-size, 28px);”>
Fortunately, this request will not be executed by modern web browsers thanks to same-origin policy restrictions. This restriction is enabled by default unless the target web site explicitly opens up cross-origin requests from the attacker’s (or everyone’s) origin by using CORS with the following header:
Access-Control-Allow-Origin: *
Attacks
RelatedControls
Related- Add a per-request nonce to the URL and all forms in addition to the standard session. This is also referred to as “form keys”. Many frameworks (e.g., Drupal.org 4.7.4+) either have or are starting to include this type of protection “built-in” to every form so the programmer does not need to code this protection manually.
- Add a hash (session id, function name, server-side secret) to all forms.
- For .NET, add a session identifier to ViewState with MAC (described in detail in the DotNet Security Cheat Sheet).
- Checking the referrer header in the client’s HTTP request can prevent CSRF attacks. Ensuring that the HTTP request has come from the original site means that attacks from other sites will not function. It is very common to see referrer header checks used on embedded network hardware due to memory limitations.
- XSS can be used to bypass both referrer and token based checks simultaneously. For instance, the Samy worm used an
XMLHttpRequest
to obtain the CSRF token to forge requests.
- XSS can be used to bypass both referrer and token based checks simultaneously. For instance, the Samy worm used an
- “Although CSRF is fundamentally a problem with the web application, not the user, users can help protect their accounts at poorly designed sites by logging off the site before visiting another, or clearing their browser’s cookies at the end of each browser session.” —http://en.wikipedia.org/wiki/Cross-site_request_forgery\#_note-1
References
“This paper serves as a living document for Cross-Site Request Forgery issues. This document will serve as a repository of information from existing papers, talks, and mailing list postings and will be updated as new information is discovered.”*
-
[Testing for CSRF](\www-project-web-security-testing-guide)
- CSRF (aka Session riding) paper from the OWASP Testing Guide project.
-
CSRF Vulnerability: A ‘Sleeping Giant’
- Overview Paper
-
Client Side Protection against Session Riding
- Martin Johns and Justus Winter’s interesting paper and presentation for the 4th OWASP AppSec Conference which described potential techniques that browsers could adopt to automatically provide CSRF protection – PDF paper
-
- J2EE, .NET, and PHP Filters which append a unique request token to each form and link in the HTML response in order to provide universal coverage against CSRF throughout your entire application.
-
- Anti CSRF method to mitigate CSRF in web applications. Currently implemented as a PHP library & Apache 2.x.x module
-
A Most-Neglected Fact About Cross Site Request Forgery (CSRF)
- Aung Khant, http://yehg.net, explained the danger and impact of CSRF with imperiling scenarios.
-
Pinata-CSRF-Tool: CSRF POC tool
- Pinata makes it easy to create Proof of Concept CSRF pages. Assists in Application Vulnerability Assessment.