Introduction to Cross-Site Request Forgery (XSRF)
Explore the mechanisms behind cross-site request forgery (XSRF) attacks and understand why servers trusting browsers can be exploited. Learn how to implement hidden form inputs with secret tokens to differentiate legitimate requests from forged ones, and why preventing XSRF requires ensuring defenses against related vulnerabilities like cross-site scripting.
We'll cover the following...
If XSS is a case of a browser trusting JavaScript from the server too much, XSRF is a case of a server trusting a browser too much.
Let’s go back to our example of a blogging site. Somehow there must be a browser request that saves a blog post to the server. Suppose the blog posting request looks something like this:
POST /blog/create HTTP/1.1
Host: www.romansjournalingsite.com
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: sessionid=Re9ljf4uObKk9mSFqBlusxamUKw
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 57
body=It+was+the+best+of+posts.+It+was+the+worst+of+posts.&submit=Publish
In a naive web application, that could be all it takes to publish to a hosted blog—a POST request with a logged-in sessionid cookie. Let’s see how an attacker or an administrator of an evil website could use this for nefarious purposes.
Suppose I run a malicious website. I ostensibly serve up pictures of adorable kittens playing with yarn. But surreptitiously, I also serve up malicious content like this:
What does this do? It creates a form with the action we just saw when we looked at the romansjournalingsite.com request that creates a new blog post. Additionally, the form is prepopulated with content that will create a blog post that says Arbitrary Attacker-Controlled Content. I love ...