This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Talk:Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
Don't post theoretical attacks, or "here say" on any OWASP page.
If you edit this page, please provide a rational. If you make a mindless edit without rationalization, it maybe reverted.
A referer check is a valid form of protection and is currently being used to stop the most dangerous CSRF vulnerability ever discovered (according to the DHS: http://www.kb.cert.org/vuls/id/643049). If you think it be exploited, PROVE IT. Stop spreading clearly false information on OWASP.
Is this statement really correct?
This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie.
This seems incorrect. An attacker can modify cookies from a sibling domain. See https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf for examples. Thus double-submit csrf cookie should also be checked for some tie to the logged in session so that it can't just be pushed in.
Jim July 27, 2014: What about "This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker would be unable to modify or read the value stored in the cookie other than via cross site scripting. (And cross site scripting resistance is a requirement for good CSRF defense to begin with."
--David Ohsie (talk) 09:47, 30 July 2014 (CDT) I don't think that this is 100% accurate either. Cookies can be written via CSS in a sibling domain, so that even if the application in not vulnerable to CSS, if the sibling domain application is vulnerable to CSS, or is simply not trustworthy, cookies can be written. Cookies can also be written via MITM attacks on http. So the application in question can be completely "secure", but it's cookies can be tampered with anyhow. That is why the paper referenced above suggests that the CSRF token must in some way be tied to the user's session or identity and the "naive" double submit method is vulnerable. At the very least, with naive double submit, the application should check to make sure that there is only one CSRF token cookie value as this will mitigate some attempts to write the cookie from another domain.
Jim July 30, 2014: Ok I got it. Can you make your change live in the document itself to clarify this? Or hey, the entire CSRF Defense cheat sheet needs to be fully re-written and made more concise and more of a "cheat" for developers. Are you interested in taking this over? Aloha! Ps: I'm [email protected] if you want to take this to email.
--David Ohsie (talk) 11:45, 31 July 2014 (CDT)I'll take a crack at editing, although I don't know if I am capable of doing a rewrite. I didn't want to make any changes without some prior discussion.
Jim July 31 2014, Thank you - any help is appreciated. I'm happy to discuss any changes you wish to make. I think this entire page needs a re-do, but happy to do that one change at a time. Aloha!
Confusion About Encrypted Token Pattern
Based on discussion about the encrypted token pattern taking place on security.stackexchange.com, I think that the discussion about the encrypted token pattern should include provide an explanation for the use of the nonce. Is the nonce supposed to be validated? If so, the validation section needs some additional text. Is the nonce there to provide some cryptographic protection? If so, what?
Neil Smithline, http://www.neilsmithline.com 14:45, 15 November 2015 (CST)
CSRF Prevention via Alternative HTTP Methods
Browsers permit cross-domain form submission, but only via GET and POST methods. Modern browsers do not allow you to set the method to anything else, cross domain, unless CORS is used. One can leverage this to prevent CSRF without the need for cryptographic tokens. If you code your site so that material changes to stored data (record updates, other writes) happen only via other HTTP methods (such as PUT, DELETE, PATCH, etc), then no other domain can submit those changes. Of course this means your site will need to use AJAX to submit changes, but this is a very common development pattern already. Definitely interested in any technical discussion on this idea, but if no one sees a problem with it, I think we should add it to the page as an option.