Newest 'csrf' Questions - IT Security Stack Exchange

2

votes

2answers

73 views

Does CSRF work when the target site is not open on a tab?

This is an example attack scenario of OWASP for CSRF The application allows a user to submit a state changing request that does not include anything secret. For example: ...

csrf

asked Jun 14 at 14:38

yzT
80313

0

votes

2answers

66 views

Generating session CSRF token based on SSL session ID

Following situation: Application is only accessible via HTTPS/SPDY nginx is sending the SSL session ID to the upstream server Upon session start I'd like to use the first 128 characters of that ...

asked Jun 10 at 20:56

Fleshgrinder
1033

1

vote

2answers

62 views

CSRF protection with cookie and AJAX

I would like to note that I've read the other question with an embarrassingly similar title and it does not contain an answer to my question. I have not used CodeIgniter as a programmer, but I have ...

web-application cookies csrf

asked Jun 9 at 0:12

K.Steff
1303

6

votes

3answers

102 views

CSRF Token in GET request

According to the OWASP testing guide a CSRF token should not be contained within a GET request as the token itself might be logged in various places such as logs or because of the risk of shoulder ...

csrf

asked May 30 at 11:33

Lucas Kauffman
14.9k22255

2

votes

2answers

146 views

CSRF protection and Single Page Apps

I am in the process of writing a thick client web app using Angular.js (single page app) and was wondering what are the best practices for securing the app using a CSRF token. Should I send a CSRF ...

web-application http csrf single-page-app

asked May 25 at 16:31

Olivier Lalonde
1,83811223

3

votes

1answer

91 views

Do websocket-powered web apps (e.g. “comet” apps) have to worry about CSRF?

The standard advice for HTTP applications wanting to prevent Cross Site Request Forgery is to include a random token on each state-changing request (usually POST) which is verified by the server ...

csrf websocket

asked May 18 at 13:35

user85461
1191

2

votes

2answers

83 views

Is it safer to store the XSRF value inside your JavaScript?

To protect yourself against XSRF, you need to have a separate token on a page. See: Coding Horror: Preventing CSRF and XSRF Attacks, by Jeff Atwood As the posting suggests, its best to have those ...

web-application javascript xss csrf

asked May 18 at 6:08

becon999
132

4

votes

3answers

168 views

Are CSRF Attacks Really Blind

I'm new to CSRF attacks but don't see how they are always blind. Let's say we are dealing with a site where the asset we need to protect is the HTTP response. Something like SurveyMonkey or ...

attacks javascript csrf

asked May 14 at 20:54

Mark Rucker
1233

10

votes

5answers

498 views

CSRF protection with Session Id

To protect against CSRF, couldn't my page javascript just dynamically insert the session id from the cookie into the body of each HTTP request right before it's sent? The server would then just ...

authentication javascript xss cookies csrf

asked May 14 at 8:28

ManRow
1494

5

votes

2answers

220 views

Type 2 XSS vs CSRF

Trying to create a thorough understanding of XSS and CSRF, i'm clear that a type 2 xss involves an exploit that is persistent on the server. e.g. <SCRIPT type="text/javascript"> new ...

xss csrf

asked May 12 at 7:10

user85030
2175

4

votes

2answers

133 views

How Secure are Authenticity Token in Rails

I came across a website which uses Rails Authenticity token to prevent CSRF attacks. My concern here is that I can see the authenticity token in the source code of the web page. If any other service ...

authentication web-service csrf

asked Apr 22 at 15:43

user1952143
403

7

votes

3answers

191 views

What are the risk implications of not verifying referer header on login form?

Imagine a generic web application with a login form to access the application. Regardless of how the actual authentication is performed, what are the implications of not checking the referer header to ...

csrf validation risk referer

asked Apr 17 at 18:55

SteveS
7,230827

5

votes

1answer

114 views

CSRF protection - 'back pages'

OWASP suggests that when implementing CSRF protection any attempt to go 'Back' in the browser will cause issues as Interaction with this previous page will result in a CSRF false positive security ...

csrf defense

asked Apr 15 at 0:00

D3C4FF
4,48111845

11

votes

2answers

196 views

Why do browsers allow public websites to attack intranet sites?

When I'm visiting a website on the public internet, the website can cause my browser to send requests to a local IP address (such as 10.0.0.1). This can be used to attack internal web sites, e.g., ...

web-browser attack-prevention csrf

asked Apr 7 at 7:29

D.W.
46.1k264167

1

vote

1answer

204 views

Anti-CSRF mechanism with referer header

This is not my main anti-CSRF mechanism; I know that https requests don't have a referer header; I know users or firewalls can remove it or set to an arbitrary fixed value. I intend this mechanism ...

csrf

asked Mar 23 at 16:42

H M
4491210

1

vote

2answers

576 views

storing anti-csrf token in cookie

I generate a random anti-csrf token per session and store it in a cookie (with http_only flag set); then add that token to forms (in hidden input field) and links. when receiving a request on the ...

csrf

asked Mar 18 at 10:01

H M
4491210

1

vote

1answer

192 views

CSRF with OAuth or Bearer Authorization headers

I am designing a RESTful API which is to be accessible from a web browser. The API is protected by Basic authentication. I understand the concept of CSRF, and the mitigations proposed (I found both ...

attack-prevention csrf authorization

asked Mar 13 at 18:00

gimix
263

2

votes

2answers

126 views

CSRF Login: can Attacker Login using valid credentials?

Considering this picture: taken from here:page21 Is this possible? If so, How to prevent it?

attack-prevention csrf attack-vector

asked Mar 13 at 6:38

Akam
2869

0

votes

1answer

106 views

CSRF mitigation in MVC

I'm wondering about the best way to protect against CSRF in MVC or any other stateless web app. Due to the stateless nature, we can not keep a secret token in the session and compare it to the secret ...

csrf asp.net-mvc

asked Mar 7 at 12:18

pert123
61

4

votes

1answer

204 views

CodeIgniter CSRF confusion

I have been working with CodeIgniter for about 3 weeks and am very well on the way to loving this framework. However I have been looking at the core code of the framework and I was reading over the ...

web-application php xss csrf

asked Feb 18 at 21:38

RaGe10940
233

0

votes

1answer

264 views

Cookies + CSRF protection + AJAX

In my app (built in Codeigniter), users can submit status updates. When submitting forms, Codeigniter automatically provides a hidden cookie. I can validate that cookie through AJAX when the user ...

cookies csrf ajax

asked Jan 11 at 14:01

chowwy
1396

0

votes

1answer

277 views

How about preventing CSRF this way?

According to Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet , the recommended solution to protect web site from CSRF attacking is to implement Synchronizer Token Pattern. And This requires ...

encryption csrf

asked Jan 11 at 9:33

George
744237

14

votes

1answer

693 views

Is Django's built-in security enough?

I have learned that Django provides built-in protection against the three main types of web app attacks (SQL injection, XSS and CSRF), which is really awesome. Yet I have spoken to a few Django ...

xss csrf

asked Jan 10 at 3:46

freshquiz
712

5

votes

3answers

315 views

CSRF Countermeasures

I'm working through a book on web application security and it says that an effective CSRF countermeasure is to assign a temporary pseudo-random token to sensitive actions performed by authenticated ...

web-application csrf random

asked Jan 7 at 14:01

Melanie Sumner Smith
283

1

vote

1answer

212 views

Is one CSRF token per session is adequate with HTTPS?

Ours is a Ajax heavy application with concurrent Ajax requests. Generating unique tokens with each request or expire and creation of new tokens after a certain interval could get tricky with multiple ...

ssl csrf ajax

asked Jan 3 at 7:14

johnbk
1084

3

votes

1answer

417 views

How does a CSRF token prevent an attack, and how can I safely use/avoid it for my JSON API?

I'm trying to make an iOS app communicate with a Ruby on Rails website using JSON. While trying to post a login to create a user session, I discovered I was missing a CSRF token. I had no idea what ...

web-application authentication csrf json

asked Dec 22 '12 at 21:43

Dan2552
1182

3

votes

1answer

182 views

How did the Tumblr worm spread?

Recently Tumblr was hit by a fast-spreading worm. How did the worm work? What was the vulnerability in Tumblr that it exploired? Did it exploit a XSS vulnerability in Tumblr? A CSRF vulnerability ...

web-application exploit xss csrf

asked Dec 7 '12 at 5:36

D.W.
46.1k264167

0

votes

3answers

96 views

Does AV software protect web applications (Twitter, Facebook, etc) from attacks? (CSRF, etc)

Is it correct to say that AV software focuses on downloaded executables and locally malicious activity, and it doesn't actively scan HTTP/S content for web based attacks such as CSRF, XSS, phishing ...

web-application web-browser antivirus csrf antimalware

asked Nov 28 '12 at 16:15

makerofthings7
13.2k334145

1

vote

1answer

131 views

Is there formal guidance that requires all sessions to be logged off when a user changes their password?

Often when an account is hacked, security guidance is to change your password. However I've noticed that changing a password sometimes isn't enough to log out of other sessions that are active. Is ...

web-application passwords appsec csrf phishing

asked Nov 28 '12 at 16:05

makerofthings7
13.2k334145

3

votes

2answers

312 views

CSRF protection for AJAX when using multiple browser tabs

Say I've got that web application that has a CSRF protection according to the Synchronizer Token Pattern. The server expects a valid CSRF token in each POST request when the user is authenticated. Now ...

csrf ajax

asked Nov 12 '12 at 8:04

eckes
1335

9

votes

2answers

954 views

CSRF protection with custom headers (and without validating token)

For a REST-api it seems that it is sufficient to check the presence of a custom header to protect against CSRF attacks, e.g. client sends "X-Requested-By: whatever" and the server checks the ...

csrf

asked Oct 30 '12 at 9:59

Mads Mobæk
1483

4

votes

2answers

255 views

CSRF Protection on static pages

I have a static site which has forms. The forms submit to a Rails endpoint which captures the submitted data. The static site and the Rails endpoint are on the same domain, on different subdomains and ...

web-application xss csrf

asked Oct 29 '12 at 11:24

Akshay Rawat
1233

0

votes

2answers

209 views

CSRF over post request without redirection?

Is there a way to forge post request without being redirected to the page where parameters are submitted.For example : <html> <head> <title> CRSF example </title> ...

csrf

asked Oct 21 '12 at 21:44

user1203028
36316

10

votes

4answers

1k views

Why refresh CSRF token per form request?

In many tutorials and guides I see that an CSRF token should be refreshed per request, my question is why do I have to do this? Isn't a single CSRF token per session much easier than regenerating one ...

csrf

asked Oct 20 '12 at 11:15

Philipp
535

2

votes

1answer

258 views

Burpsuite Pro: CSRF tokens in sequencer

So I'm using Burp to try and estimate the entropy used by tokens to prevent CSRF. Let's say a website has a url in it's site protected by a Token: <a ...

csrf burp

asked Sep 18 '12 at 18:21

Lucas Kauffman
14.9k22255

4

votes

1answer

245 views

Ajax and CSRF protection

Without going into too much details I have a site which is 100% Ajax. All requests to the site (both GET and POST) are done via Ajax. Now I have to implement CSRF protection, and all the solutions I ...

csrf ajax

asked Sep 16 '12 at 3:08

Dave
232

5

votes

1answer

598 views

OAuth2 Cross Site Request Forgery, and state parameter

http://tools.ietf.org/html/draft-ietf-oauth-v2-30#section-10.12 says: The client MUST implement CSRF protection [...] typically accomplished by requiring any request sent to the redirection URI ...

csrf oauth authorization

asked Sep 14 '12 at 10:17

Markus von Broady
1106

5

votes

4answers

613 views

Protecting against CSRF when a form is being submitted via an AJAX call

I'm using anti-CSRF tokens on all my forms to prevent CSRF attacks. Also, the tokens are being saved in the $_COOKIE variable to validate against the value I get from the form. I'm resetting the token ...

web-application appsec php csrf ajax

asked Sep 10 '12 at 20:59

Gaurav Sharma
1264

3

votes

2answers

1k views

Why are CSRF tokens necessary?

It seems that the entire problem could be solved very elegantly by simply adding a new flag to the HTTP cookie specification. Similarly to how cookies flagged Secure will only be submitted by the ...

cookies browser csrf

asked Sep 9 '12 at 14:27

adlwalrus
1915

1

vote

3answers

217 views

Why can I read the response to this CSRF attack?

I have a website www.foo.com:8002 that I have resolve to 127.0.0.1:8002 in my hosts file. I have another (the main site) running at localhost:80 In www.foo.com:8002 the page looks like <form ...

web-browser csrf same-origin-policy

asked Aug 27 '12 at 22:09

Jarrod Everett
976

6

votes

3answers

498 views

Web Browsers and Cross Origin Resource Sharing

The CORS spec states that if a request method and headers are not simple (http://www.w3.org/TR/cors/#simple-cross-origin-request) then a preflight HTTP OPTIONS request is sent to see if the request is ...

web-browser csrf

asked Aug 27 '12 at 18:43

Jarrod Everett
976

1

vote

2answers

782 views

How does ViewState protect against CSRF?

According to the OWASP CSRF Cheat Sheet viewStateUserKey for ASP.NET ViewState is acceptable to prevent csrf attacks, but I really don't get how. I get that this makes it hard for an attacker to ...

csrf asp.net

asked Aug 23 '12 at 19:14

Jarrod Everett
976

6

votes

3answers

1k views

CSRF cookie vs session based tokens

I will generate a CSRF token and include it in a hidden form field. When receiving the request, I will check the form value against the value either stored in the user's session or in a cookie. Is it ...

web-application web-browser cookies session-management csrf

asked Aug 23 '12 at 14:16

Jarrod Everett
976

4

votes

2answers

447 views

How to properly validate HTTP redirects?

I'm reading OWASP's Secure Coding Practices Checklist and under their "Input Validation" section they have an item that reads: Validate data from redirects (An attacker may submit malicious ...

appsec http csrf owasp url-redirection

asked Aug 9 '12 at 1:32

zharvey
26015

0

votes

1answer

164 views

Understanding CSRF vulnerability in Web Application?

I want to understand what is CSRF vulnerability. I use authorization system in my web application and found CSRF. What should we do to solve it? Actually I want to create simulation for this ...

web-application csrf

asked Aug 1 '12 at 4:01

viyancs
1166

10

votes

3answers

1k views

What risks do Cookieless sessions have? What are the mitigations?

I'm debating if I should support cookieless sessions in my web app. It would look something like this: http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx Since the URL is never ...

cookies session-management asp.net csrf threat-mitigation

asked Jul 27 '12 at 1:25

makerofthings7
13.2k334145

4

votes

1answer

190 views

Can anybody recommend any gems for checking security vulnerabilities?

I want to check one of my RoR projects for security vulnerabilities. So can anybody recommend any gems for my needs?

xss sql-injection csrf rails ruby

asked Jul 15 '12 at 22:06

rubydev.ru
273

1

vote

2answers

265 views

Does vulnerability exist when using XHR with GET method and custom anti-CSRF HTTP header?

Imagine button after clicking which browser sends XHR http request with GET method. Characteristics: after executing request sensitive action is performed sensitive information is sent in GET ...

appsec web-application http csrf

asked May 17 '12 at 11:37

Andrey Botalov
1,1461133

1

vote

2answers

1k views

header injection + codeigniter

I'm reading through Mozilla's Secure Coding Guidelines, and found this statement: Don't trust any user data (input, headers, cookies etc). Validate it before using it I'm using the codeigniter ...

xss cookies csrf injection response-spliting

asked May 9 '12 at 21:55

chowwy
1396

4

votes

4answers

5k views

Security issues using iframes

We are looking to move to iframes due to technical challenges. By moving to iframes it will be easier to manage the technical issues. But we are not totally sure of security implications of iframes. ...

web-application web-browser xss csrf

asked Apr 1 '12 at 6:07

Mick
2112

Tagged Questions

Related Tags