Cross Site Request Forgery (CSRF) Attacks
I found a site that has some good security tips for web developers. It mentions one type of attack that doesn't get much attention - called Cross Site Request Forgery (CSRF).
Basically lets say a user is logged into your site, and then they get an email, or go to a malicious web page (without logging out) that directs the user to a file on your site such as
/members/cancel_membership.cfm. Oops, they just ran that page as an authenticated user!
Attackers can use this technique to post comment spam, log out users (probably not so bad), change preferences, or do potentially anything your web application lets authenticated users do!
So to prevent these attacks you can't rely simply on checking the http referer because that can be spoofed. The article suggests that you:
- Require HTTP POST operations, instead of HTTP GET's (when your passing parameters)
- Include some sort of hash in the form post based on the users credentials, then validate the hash on the server before performing the operation.
- You will also want to do server side confirmations (eg: are you sure you want to delete?)
- csrfVerifyToken does not invalidate the token - February 6, 2019
- Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
- Announcing Web Application Firewall for ColdFusion - July 9, 2007
- The Dangers of Flash's crossdomain.xml - November 2, 2006
- 20 ways to Secure your Apache Configuration - December 6, 2005
- Travis CI Error when installing oraclejdk8
- Tuning Tomcat IIS Connectors worker.properties and server.xml
- Push Tomcat logs with the AWS CloudWatch Logs Agent
- Sending nginx access logs to CloudWatch Logs Agent
- Setup CloudWatch Logs Agent on Ubuntu 18.04 LTS
- Tomcat Virtual Directory Howto
- Communications link failure MySQL JDBC with TLS
- Redirect www and non https in IIS using web.config