Menu
During a recent security scan of our Java web application, we found out CSRF vulnerabilities. I know for a newer app which is using a security framework like Spring Security, we could easily add a hidden input with every form and do other required configurations and that would solve the problem.
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
But ours is a very old app still using acegi-security (1.0.2) and has 100s of forms written in JSPs. Adding an input type hidden csrf token on all these forms seems very tedious. Is there a smarter way of securing my application without all of this hard work.
661
The Synchronizer Token Pattern is the best way to prevent CSRF.
The other way you can prevent CSRF is by checking referer header. An example code,
String request_origin = request.getHeader("referer");
//check if origin of the request
//is coming from known source
if(!knownURIs(request_origin)){
//reject the request
}
else
//process request
But, this method won't work if you are using HTTPS and/or if your site is vulnerable to XSS / Open redirect which can easily bypass this check.
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
