Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Preventing CSRF?

Tags:

csrf

I already seen some question from here (stackoverflow) and THIS post, but I still have some questions...

  1. Using hidden value in the post form and check it when post reach the server.

    • The hidden value can easy be copied and send exactly like the real one, "hard to guess" (like md5) will not help. (right?)

  2. Setting a cookie when you reach the form and send the cookie value as a hidden value.

    • You can easily change a cookie value or send a custom cookie exactly like the real one using the same real hidden value. (right?)

  3. Using 'timeout', the POST values cannot reach too late.

    • So, if you're slow you will fail when you try to set everything up with the hidden value. If you're fast it gonna work. (right?)

I want to be protected about CSRF...but how exactly I do it?

like image 572
Pedro Gabriel Avatar asked Jan 03 '12 18:01

Pedro Gabriel

People also ask

How is CSRF prevented?

The most effective method of protecting against CSRF is by using anti-CSRF tokens. The developer should add such tokens to all forms that allow users to perform any state-changing operations. When an operation is submitted, the web application should then check for the presence of the correct token.

What is the best Defence against CSRF?

Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.

What is CSRF protection?

A CSRF token is a secure random token (e.g., synchronizer token or challenge token) that is used to prevent CSRF attacks. The token needs to be unique per user session and should be of large random value to make it difficult to guess. A CSRF secure application assigns a unique CSRF token for every user session.

Can firewall prevent CSRF?

You can further protect your web application by using a web application firewall (WAF) to detect and block CSRF and other common application attacks automatically such as the vulnerabilities in the OWASP Top 10.

1 Answers

The easiest way I found to prevent CSRF issues is:

  1. On the server side, assign an HttpOnly cookie to the client with a random (unguessable) token

  2. Place a hidden field on the form with that cookie value

  3. Upon form submit, ensure the hidden field value equals the cookie value (on the server side of things)

like image 200
Matthew Avatar answered Sep 22 '22 23:09

Matthew
Sign in to Comment

Related questions

Implementing CSRF protection in a Python REST API
Spring security csrf is null
Rails 4 authenticity token - both in header and form hidden input?
Facebook PHP SDK - getLoginUrl() - state value
CSRF safe Custom button linked to Apex method
Can't verify CSRF token authenticity Rails 4 Ajax even when header is set
Is worrying about XSS,CSRF,sql injection, cookie stealing enough to cover web-security?
Questions on Django's CSRF protection
Fetch API not sending session cookies when used inside a Chrome Extension
Spring boot STATELESS application with JWT auth and csrf token
XSRF protection in an AJAX style app
Why does Django not generate CSRF or Session Cookies behind a Varnish Proxy?
GWT & XSRF Protection
Laravel Dingo API and issues with Middleware\\VerifyCsrfToken.php
How to identify Post Data is hacked using anti-forgery token
Session handling during login with protection against XSRF (cross-site-request-forgery) in GWT
How to handle pages with stale CSRF authenticity tokens in Rails
Posting a JSON model to ASP.Net MVC3 with Anti-forgery token
Django CSRF Verification failed for admin panel
Is Firebase Auth's local (persisted auth state) secure and safe from XSS and CSRF for browsers?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!