Website Attacks

CSRF

CSRF (Cross-Site Request Forgery)

• Rob Shapland, Cross-site request forgery: Lessons from a CSRF attack example
• Cross site request forgery (CSRF) attack
• Common CSRF Prevention Misconceptions

Attackers allure our user to submit request to our website unintentionally to cause some damage to the user or to the website.

The prerequisite for this attack to work is the user has logged in to our website, and their identity is stored in cookie.

It utilizes the following nature of the cookie: cookie sends with request to site that belongs to the domain this cookie belongs to, regardless the origin of the document that submits the request.

Such a request can be made by user clicking a hyperlink in an email he receives, or by a script that runs when user load a document.

• CSRF attacker allures our users to submit malicious request to our server. The submit form comes from the attacker, but it submits request to our server
• CSRF attacker cannot read or change cookies in our site
• CSRF attacker cannot get data from our site，therefore only state-changing request need CSRF protection https://security.stackexchange.com/questions/115794/should-i-use-csrf-protection-for-get-requests

CSRF Attack Solutions

• Harsha Kavinda, Synchronizer Token Pattern: when user logs in, generate a token and set it as a session variable. Then in every form sends to user, add that session variable value in a hidden field in the form. Once receives the form data submitted by user, check if that hidden field value matches the session variable value
• Harsha Kavinda, Double Submit Cookie Pattern: when user logs in, generate a token and put it in cookie. Then in every form sends to user, add that cookie value in a hidden field in the form. Once receives the form data submitted by user, check if that hidden field value matches the cookie value