pf » Cross Site Request Forgery (CSRF) Attacks

May 11, 2005

Cross Site Request Forgery (CSRF) Attacks

web

I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).

Basically lets say a user is logged into your site, and then they get an email, or go to a malicious web page (without logging out) that directs the user to a file on your site such as /members/cancel_membership.cfm. Oops, they just ran that page as an authenticated user!

Attackers can use this technique to post comment spam, log out users (probably not so bad), change preferences, or do potentially anything your web application lets authenticated users do!

So to prevent these attacks you can't rely simply on checking the http referer because that can be spoofed. The article suggests that you:

  • Require HTTP POST operations, instead of HTTP GET's (when your passing parameters)
  • Include some sort of hash in the form post based on the users credentials, then validate the hash on the server before performing the operation.
  • You will also want to do server side confirmations (eg: are you sure you want to delete?)

| Add Comment | add to del.icio.us | Tags: , , ,

Related Entries
3 people found this page useful, what do you think?

Trackbacks
Trackback Address: 348/318C34A53E203B62F771FA19258B6AE4
Comments
On 05/18/2005 at 4:36:07 PM MDT Pete Freitag wrote:
1
Cross Site Request Forgery attacks are also sometimes called XSRF attacks

On 07/23/2006 at 2:31:07 PM MDT Jessica wrote:
2
myspace will not let me log in so i went to forgot password and it emailed it to me and then i tried to get in everything was right but i still can't get into myspace account please help me !

Post a Comment



  



Spell Checker by Foundeo

Recent Entries




Subscribe to my RSS Feed: solosub RSS
Tags