Saturday 8 December 2018

CSRF

Common Safety preventions against CSRF
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
How it works
Suppose a vulnerable Bank Server accepts the following POST request to transfer money: 

POST http://bank.com/transfer.do HTTP/1.1
acct=BOB&amount=100 

This request is submitted using form submit which can be easily sent by a piece of javascript code




 Preventions 


    

  1. 
   Generate unique CSRF token on server side based on each session. Pass back to client side in set-cookie instruction. Client side format special headers using this CSRF token, then server side validate CSRF token of each request.

    2. 

  2. 
   Using modern front-end framework technologies such as VUE.js, REACT.js to setup hidden CSRF token input(when its hidden, it does not show up on the HTML page once rendered)

    3. 

  3. 
 Create an app that generates CSRF token(Google, and many banks uses this option nowdays)

    4. 





 Sources 

 https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)









Posted by



at






















Labels:


















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)