Cross-Site Request Forgery (CSRF) - Revision history

Jmanico: Undo revision 237090 by Hblankenship (talk) breaks page rendering on mobile

2018-03-06T20:52:54Z

Undo revision 237090 by Hblankenship (talk) breaks page rendering on mobile

Hblankenship: Added Donate to OWASP Button per OWASP Donation Initiative

2018-01-27T15:03:30Z

Added Donate to OWASP Button per OWASP Donation Initiative

Sarciszewski: Clarify HTTPS section. Of course HTTPS alone isn't adequate. That doesn't mean it shouldn't be required.

2017-12-13T15:24:22Z

Clarify HTTPS section. Of course HTTPS alone isn't adequate. That doesn't mean it shouldn't be required.

Jmanico at 18:21, 20 June 2017

2017-06-20T18:21:01Z

Wichers: Add CSRF Cheat sheet to references

2017-03-22T13:58:37Z

Add CSRF Cheat sheet to references

Ari Elias-Bachrach: /* Related Security Activities */ contraction needs an apostophe

2016-11-02T17:19:55Z

‎Related Security Activities: contraction needs an apostophe

Jmanico: /* Prevention measures that do NOT work */

2016-05-22T18:04:54Z

‎Prevention measures that do NOT work

Jmanico: fix per glen

2015-10-14T17:22:04Z

fix per glen

Christina Schelin: Tidying up. No factual changes.

2015-03-10T14:56:16Z

Tidying up. No factual changes.

Show changes

A V Minhaz: /* How to Prevent CSRF Vulnerabilities */

2014-12-13T18:31:05Z

‎How to Prevent CSRF Vulnerabilities

@@ Line 2: / Line 2: @@
 [[Category:OWASP ASDR Project]]
 Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
@@ Line 201: / Line 199: @@
 * [http://code.google.com/p/pinata-csrf-tool/ Pinata-CSRF-Tool: CSRF POC tool]
 : Pinata makes it easy to create Proof of Concept CSRF pages. Assists in Application Vulnerability Assessment.  [[Category:Exploitation of Authentication]] [[Category:Embedded Malicious Code]] [[Category:Spoofing]] [[Category:Attack]]

@@ Line 2: / Line 2: @@
 [[Category:OWASP ASDR Project]]
 Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
@@ Line 199: / Line 201: @@
 * [http://code.google.com/p/pinata-csrf-tool/ Pinata-CSRF-Tool: CSRF POC tool]
 : Pinata makes it easy to create Proof of Concept CSRF pages. Assists in Application Vulnerability Assessment.  [[Category:Exploitation of Authentication]] [[Category:Embedded Malicious Code]] [[Category:Spoofing]] [[Category:Attack]]

@@ Line 63: / Line 63: @@
 == HTTPS ==
-HTTPS does nothing to defend against CSRF.
+HTTPS by itself does nothing to defend against CSRF.
 ==Examples==
@@ Line 111: / Line 113: @@
 Such a request cannot be delivered using standard A or IMG tags, but can be delivered using a FORM tag:
-  <form action="<nowiki>http://bank.com/transfer.do</nowiki>" method="POST">
+  <form action="&lt;nowiki&gt;http://bank.com/transfer.do&lt;/nowiki&gt;" method="POST">
   <input type="hidden" name="acct" value="MARIA"/>
   <input type="hidden" name="amount" value="100000"/>
@@ Line 189: / Line 191: @@
 : Anti CSRF method to mitigate CSRF in web applications. Currently implemented as a PHP library & Apache 2.x.x module
-* [http://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf A Most-Neglected Fact About Cross Site Request Forgery (CSRF)  ]
+* [http://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf A Most-Neglected Fact About Cross Site Request Forgery (CSRF)]
 : Aung Khant, http://yehg.net, explained the danger and impact of CSRF with imperiling scenarios.
@@ Line 196: / Line 198: @@
 * [http://code.google.com/p/pinata-csrf-tool/ Pinata-CSRF-Tool: CSRF POC tool]
-: Pinata makes it easy to create Proof of Concept CSRF pages. Assists in Application Vulnerability Assessment.
+: Pinata makes it easy to create Proof of Concept CSRF pages. Assists in Application Vulnerability Assessment.  [[Category:Exploitation of Authentication]] [[Category:Embedded Malicious Code]] [[Category:Spoofing]] [[Category:Attack]]

@@ Line 99: / Line 99: @@
 If this image tag were included in the email, Alice wouldn't see anything. However, the browser ''will still'' submit the request to bank.com without any visual indication that the transfer has taken place.
-A real life example of CSRF attack on an application using GET was a [http://xs-sniper.com/blog/2008/04/21/csrf-pwns-your-box/ uTorrent exploit] from 2008 that was used on a mass scale to download malware.
+A real life example of CSRF attack on an application using GET was a [https://www.ghacks.net/2008/01/17/dos-vulnerability-in-utorrent-and-bittorrent/ uTorrent exploit] from 2008 that was used on a mass scale to download malware.
 ====POST scenario====

@@ Line 168: / Line 168: @@
 ==References==
 * [http://www.cgisecurity.com/articles/csrf-faq.shtml The Cross-Site Request Forgery (CSRF/XSRF) FAQ]
@@ Line 173: / Line 175: @@
 * [[Testing for CSRF (OWASP-SM-005)|Testing for CSRF]]
-: CSRF (aka Session riding) paper from the OWASP Testing Guide project (need to integrate)
+: CSRF (aka Session riding) paper from the OWASP Testing Guide project.
 * [http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2 CSRF Vulnerability: A 'Sleeping Giant']
@@ Line 184: / Line 186: @@
 : J2EE, .NET, and PHP Filters which append a unique request token to each form and link in the HTML response in order to provide universal coverage against CSRF throughout your entire application.
-* [http://owasp.org/index.php/CSRFProtector_Project OWASP CSRF Protector]
+* [[CSRFProtector_Project | OWASP CSRF Protector]]
-: a new anti CSRF method to mitigate CSRF in web applications. Currently implemented as a php library & Apache 2.x.x module
+: Anti CSRF method to mitigate CSRF in web applications. Currently implemented as a PHP library & Apache 2.x.x module
 * [http://yehg.net/lab/pr0js/view.php/A_Most-Neglected_Fact_About_CSRF.pdf A Most-Neglected Fact About Cross Site Request Forgery (CSRF)  ]

@@ Line 27: / Line 27: @@
 Most frameworks have built-in CSRF support such as [http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms Joomla], [http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html Spring], [http://web.securityinnovation.com/appsec-weekly/blog/bid/84318/Cross-Site-Request-Forgery-CSRF-Prevention-Using-Struts-2 Struts], [http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf Ruby on Rails], [http://www.troyhunt.com/2010/11/owasp-top-10-for-net-developers-part-5.html .NET] and others.
-Use [[:Category:OWASP_CSRFGuard_Project|OWASP CSRF Guard]] to add CSRF protection to your Java applications. You can use [[CSRFProtector Project]] to protect your php applications or any project deployed using Apache Server . There is a [[.Net CSRF Guard]] at OWASP as well, but its old and doesn't look complete.
+Use [[:Category:OWASP_CSRFGuard_Project|OWASP CSRF Guard]] to add CSRF protection to your Java applications. You can use [[CSRFProtector Project]] to protect your php applications or any project deployed using Apache Server. There is a [[.Net CSRF Guard]] at OWASP as well, but it's old and doesn't look complete.
 John Melton also has an [http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/ excellent blog post] describing how to use the native anti-CSRF functionality of the [http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI].

@@ Line 45: / Line 45: @@
 === Prevention measures that do '''NOT''' work ===
-;Using a secret cookie
+== Using a secret cookie ==
-:Remember that all cookies, even the ''secret'' ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request.
+Remember that all cookies, even the ''secret'' ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request.
-;Only accepting POST requests
+== Only accepting POST requests ==
-:Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious POST request, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted on the attacker's website composed entirely of hidden fields. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else.
+Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else.
 ==Examples==

@@ Line 126: / Line 126: @@
   	x.open("PUT","<nowiki>http://bank.com/transfer.do</nowiki>",true);
   	x.setRequestHeader("Content-Type", "application/json");
-  	x.send(JSON.stringify('{"acct":"BOB", "amount":100}'));
+  	x.send(JSON.stringify({"acct":"BOB", "amount":100}));
+  }
   </script>