Cross-Site Request Forgeries

-=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- (c) WidthPadding Industries 1987 0\|49\|0 -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=- -=+=-
SoCoder -> Link Home -> Help/Tutorials

HoboBen	Created : 25 September 2008 Cross-Site Request Forgeries https://www.codinghorror.com/blog/archives/001171.html
An excellent Article detailing Cross-Site Request Forgeries - one of the subtler security problems, but incredibly dangerous because it doesn't actually exploit a system in the conventional sense - instead it automates an action that a user could take normally. For example, logging them out (which would be an inconvenience) or getting them to unknowingly post spam in a forum with their account, or delete their own posts. By visiting a webpage with a form that has another website as a target, you can cause the visitor to do an action on the other website: <body onload="document.getElementById('f').submit()"> <form id="f" action="https://example.org/logout" method="post"> <input name="Log Me Out" value="Log Me Out" /> </form> </body> --v This would just be a matter of convincing someone on example.org to visit your link. Another method is using a url as an image source - this is rarer because it's bad to let a url with GET parameters take an action because Google crawling your URLs would end up doing all sorts of bad things, but it's even easier to pull off. My solution is to add a hidden value to every form containing a salted md5 hash of the logged-on user's name that must be correct for any action to be taken.

Comments
Friday, 26 September 2008, 06:23
Stealth	Another method would be to check the referer when proccessing requests. If it's not from your domain, reject it.
Friday, 26 September 2008, 06:37
HoboBen	The problem with that is that the referrer field is optional, and not every browser will send it. But as long as your error message is helpful enough that visitors know what to do about it, that's okay I suppose.
Friday, 26 September 2008, 08:17
Jayenkai	Yeah, I was originally going to add referrer checks I added the logout button so very very long ago.. But then.. something.. either my phone, or my DS's browser, can't remember which, stopped me from doing it. I don't currently think it's that big of a problem. But as always, if it does indeed turn out to be, I'll jump at the chance to patch it up.

Cross-Site Request Forgeries

Comments