Common Safety preventions against CSRF
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
How it works
Suppose a vulnerable Bank Server accepts the following POST request to transfer money:
POST http://bank.com/transfer.do HTTP/1.1
acct=BOB&amount=100
This request is submitted using form submit which can be easily sent by a piece of javascript code
Preventions
-
Generate unique CSRF token on server side based on each session. Pass back to client side in set-cookie instruction. Client side format special headers using this CSRF token, then server side validate CSRF token of each request.
-
Using modern front-end framework technologies such as VUE.js, REACT.js to setup hidden CSRF token input(when its hidden, it does not show up on the HTML page once rendered)
-
Create an app that generates CSRF token(Google, and many banks uses this option nowdays)
Sources
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
No comments:
Post a Comment