This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
Line 18: Line 18:
  
 
The request name should be different for each request. The CSRFToken must be strictly protected, for example an application that does not use SSL or passes the token through a URL parameter, will result in the CSRFToken being leaked.
 
The request name should be different for each request. The CSRFToken must be strictly protected, for example an application that does not use SSL or passes the token through a URL parameter, will result in the CSRFToken being leaked.
 +
 +
== .NET Viewstate ==
 +
 +
== Prevention Frameworks ==
 +
 +
There are CSRF prevention modules available for J2EE, .Net, and PHP.
 +
 +
[http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project OWASP CSRF Guard]
 +
 +
The OWASP CSRFGuard Project makes use of a unique per-session token verification pattern using a JavaEE filter to mitigate the risk of CSRF attacks. When an HttpSession is first instantiated, CSRFGuard will generate a cryptographically random token using the SecureRandom class to be stored in the session.
 +
 +
CSRFGuard is a "reference implementation". Developers are encouraged to leverage more tightly integrated solutions for performance (ex: speed of parsing HTML) and technical (ex: AJAX requests) challenges.
 +
 +
Similar Projects
 +
There are a small number of other projects that implement the unique random request token concept similar to that of CSRFGuard. They are as follows:
 +
 +
[http://www.owasp.org/index.php/PHP_CSRF_Guard http://www.owasp.org/index.php/PHP_CSRF_Guard]
 +
 +
[http://www.owasp.org/index.php/.Net_CSRF_Guard http://www.owasp.org/index.php/.Net_CSRF_Guard]
 +
  
 
= References =
 
= References =

Revision as of 14:41, 14 October 2009

Introduction

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site that the user is currently authenticated to. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the users’ context.

A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is an administrator account, a CSRF attack can compromise the entire Web application. The sites that are more likely to be attacked are community Websites (social networking, email) or sites that have high dollar value accounts associated with them (banks, stock brokerages, bill pay services). This attack can happen even if the user is logged into a Web site using strong encryption (HTTPS).

Utilizing social engineering, an attacker will embed malicious HTML or JavaScript code into an email or Website to request a specific 'task url'. The task then executes with or without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw.

In effect, CSRF attacks are used by an attacker to make a target system perform a function (Funds Transfer, Form submission etc..) via the targets browser without knowledge of the target user, at least until the unauthorized function has been committed.

Prevention

Token Based

The most common defense of CSRF is to append challenge tokens to each sensitive request. These challenge tokens must be associated with the user's session. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from another source other than the user. The following describes how to incorporate challenge tokens.

When a Web application formulates a request (by generating a link or form that causes a request when submitted or clicked by the user) the application should include as a query parameter as an “Input” tag of type “hidden” with a name like: CSRFToken. It is important to note that the CSRFToken should not be included in the URL or in URL parameters as they may be leaked. The CSRFToken should have a value that is a randomly generated such as a 128-bit hash that has been base 64 encoded. For each request this token need only be generated randomly once, after that the token value is stored in a session specific table mapping request names to validation tokens. When a request is performed by the user, before the request is executed the submitted CSRFToken has its value verified by comparing the provided token to the value stored in the mapping table for this request. If there is no value in the table for this request name, or if the value provided does not match the value in the table exactly then the Request Formulator is not the application, the request should be aborted and the event can be logged as a potential security incident.

The request name should be different for each request. The CSRFToken must be strictly protected, for example an application that does not use SSL or passes the token through a URL parameter, will result in the CSRFToken being leaked.

.NET Viewstate

Prevention Frameworks

There are CSRF prevention modules available for J2EE, .Net, and PHP.

OWASP CSRF Guard

The OWASP CSRFGuard Project makes use of a unique per-session token verification pattern using a JavaEE filter to mitigate the risk of CSRF attacks. When an HttpSession is first instantiated, CSRFGuard will generate a cryptographically random token using the SecureRandom class to be stored in the session.

CSRFGuard is a "reference implementation". Developers are encouraged to leverage more tightly integrated solutions for performance (ex: speed of parsing HTML) and technical (ex: AJAX requests) challenges.

Similar Projects There are a small number of other projects that implement the unique random request token concept similar to that of CSRFGuard. They are as follows:

http://www.owasp.org/index.php/PHP_CSRF_Guard

http://www.owasp.org/index.php/.Net_CSRF_Guard


References

Cross Site Reference Forgery

An introduction to a common web application weakness