[WEB SECURITY] How are you tackling CSRF?

Paul McMillan paul at mcmillan.ws
Sat Apr 23 17:58:15 EDT 2011


Rohit,

Good point about CSRF tokens that are present but not actually validated.

>From your remediation step list, it sounds like you're using your
session token as the CSRF token. This is a really bad idea. Your
session cookie should be set to HTTP-only, to prevent it from being
stolen or misused by Javascript in the event of an XSS  bug. If you
use the same value in your form, Javascript can access it, and
malicious attackers may be able to use that information to steal your
users sessions.

If you hash your session cookie value and use that for your token, you
will (mostly) mitigate this problem.

Steve,

In general, ALL forms should have CSRF protection. Things like search
don't appear to be important at first, until you imagine how easily a
non-CSRF search could be used to cause a DoS on your site. Search is
usually an expensive operation. Don't make it easier for attackers.

-Paul




More information about the websecurity mailing list