-
Notifications
You must be signed in to change notification settings - Fork 0
Website Attacks
txgz999 edited this page Aug 13, 2019
·
14 revisions
CSRF (Cross-Site Request Forgery)
Attackers allure our user to submit request to our website unintentionally to cause some damage to the user or to the website.
- Rob Shapland, Cross-site request forgery: Lessons from a CSRF attack example
- Cross site request forgery (CSRF) attack
CSRF
- CSRF attacker allures our users to submit malicious request to our server. The submit form comes from the attacker, but it submits request to our server
- CSRF attacker cannot read or change cookies in our site
- CSRF attacker cannot get data from our site
CSRF Attack Solutions
- Harsha Kavinda, Synchronizer Token Pattern: when user logs in, generate a token and set it as a session variable. Then in every form sends to user, add that session variable value in a hidden field in the form. Once receives the form data submitted by user, check if that hidden field value matches the session variable value
- Harsha Kavinda, Double Submit Cookie Pattern: when user logs in, generate a token and put it in cookie. Then in every form sends to user, add that cookie value in a hidden field in the form. Once receives the form data submitted by user, check if that hidden field value matches the cookie value