Versions Compared

Version Old Version 2 New Version 3
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

A CSRF attack forces a logged-on victim's victim’s browser to send a forged HTTP request, including the victim's victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim's victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

...

The preferred option is to include the unique token in a hidden field. This causes the value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is more prone to exposure.
The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs a greater risk that the URL will be exposed to an attacker, thus compromising the secret token.
OWASP's  OWASP’s CSRF Guard can automatically include such tokens in Java EE, .NET, or PHP apps. OWASP's OWASP’s ESAPI includes methods developers can use to prevent CSRF vulnerabilities.

...

  1. Include anti CSRF into the form field in a JSP:
    Code Block
    <html:form action="registration-submit">
<html:hidden property="action"/>
<input type="hidden" name=<%=CSRFTokenUtil.SESSION_ATTR_KEY %>
Value=<%=CSRFTokenUtil.getToken(request.getSession(false)) %>>
    This creates the token if it doesn't doesn’t already exist and includes it as a parameter into the HTML form.
    The next step is to include the mapping into the application:
    Code Block
    If (!CSRFTokenUtil.isValid(request.getSession(false), request)){
request mapping.findForward("error");
}
  2. When a Web application formulates a request (by generating a link or form that causes a request when submitted or clicked by the user), the application should include a hidden input parameter with a common name such as "CSRFToken". The value of this token must be randomly generated such that it cannot be guessed by an attacker. Consider leveraging the java.security.SecureRandom class for Java applications to generate a sufficiently long random token. Alternative generation algorithms include the use of 256-bit BASE64 encoded hashes. Developers that choose this generation algorithm must make sure that there is randomness and uniqueness utilized in the data that is hashed to generate the random token.
    Code Block
    <form action="/transfer.do" method="post">
<input value="OWY4NmQwODE4ODRjN2Q2NTlhMmZlYWEwYzU1YWQwMTVhM2JmNGYxYjJiMGI4MjJjZDE1ZDZ==">
</form>

...