HackerSecret.com - The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

  • Home
  • Visit Our Shop
  • Download the free App
  • Contact us for Info
VISIT OUR SHOP! CLICK HERE !

Preventing CSRF Attacks

by / Saturday, 06 March 2021 / Published in Hacking
Share
Tweet
Pin
0 Shares

Cross-site request forgery (CSRF, sometimes pronounced ???sea surf??? and not to be confused with cross-site scripting) is a simple yet invasive malicious exploit of a website. It involves a cyberattacker adding a button or link to a suspicious website that makes a request to another site you???re authenticated on. For example, a user is logged into their online banking platform which has poor security, and by clicking a ???download??? button on an untrusted site, it maliciously initiates a money transfer request on their behalf through their current online banking session. Compromised sites can reveal information or perform actions as an authorized user without your explicit permission.

CSRF attack prevention

Fortunately, CSRF attacks can be prevented. Let???s look at some of the most efficient ways to safeguard your website.

Being RESTful

Representational state transfer (REST) is a set of principles that assigns a type of activity (view, create, delete, update a resource) for each HTTP verb (GET, POST, PATCH, PUT, DELETE). Following a RESTful design will ensure that your code is clean and can scale. It also has the added benefit of reducing vulnerabilities.

A key design principle that protects you from CSRF attacks is using GET requests for only view or read-only actions. These types of requests should not transform data and must only display recorded data. This limits the number of requests that are vulnerable to CSRF attacks.

Anti-forgery tokens

Your website will also need to use POST, PUT, PATCH and DELETE requests. To safeguard these endpoints, you can introduce an anti-forgery token in every request that uniquely identifies safe origin sites.

Every response rendered by the server will contain the anti-forgery token which is then written out to a hidden HTML field. This token is used by the client side to authenticate requests sent to the server. Now, the server knows the request is from a safe origin.

Most modern web frameworks include anti-forgery token management, out-of-the-box. For example, Ruby on Rails has a method called ???protect_from_forgery??? that authenticates requests on the server side. It also manages token generation and rendering out to HTML elements.

Set cookies with the SameSite Attribute

Cookies are a way to add persistent state to websites. This is usually used to authorize users, store session data, and more. However, it???s also an easy way to expose vulnerabilities. To address this, cookies contain a number of attributes that govern their behavior.

A commonly used attribute is Max-Age. The Chrome team recently introduced the SameSite attribute (now available across most major browsers). It is exceptionally useful in thwarting CSRF attacks.

The SameSite attribute allows you to declare if your cookie should be restricted to a first-party or same-site context. It gives you greater control over how much a client can access server-side code.

Setting a Same-Site attribute to a cookie is quite simple:

Set-Cookie: CookieName=CookieValue; SameSite=Lax;

Set-Cookie: CookieName=CookieValue; SameSite=Strict;

If the value is set to Strict, it means that any request originating from a third-party site to your site will have all cookies removed by the browser. It is the most secure setting and helps in preventing untrusted authorized requests from being rendered.

Setting the value to Lax does not remove the cookies for any GET requests. This provides a seamless experience for your user when they follow links from other sites to your site. Otherwise, your user would have to reauthenticate to gain access.

Enabling CORS protection

Cross-origin resource sharing (CORS) adds flexibility to the same-origin policy (SOP). It allows for a controlled access to requests originating outside of a given domain. It is generally used when you need to serve API requests.

Having said this, relaxing the SOP policy does open up your site to cross-domain based attacks. Fortunately, this can be prevented by having a good control over your CORS policy.

The request headers related to the policy are:

  • Origin
  • Access-Control-Request-Method
  • Access-Control-Request-Headers

Requiring additional authentication for sensitive actions

Before performing critical and sensitive actions on your site, it is always a good idea to require your users to reauthenticate themselves. This could be a one-time password that gets sent to a registered email or phone number, a simple CAPTCHA, or revalidating passwords.

This prevents any sort of CSRF attacks and potentially even more dangerous attacks.

Conclusion

CSRF attacks amount to a large percentage of web-based attacks. Fortunately, it is easy to prevent and thwart attacks before they even happen. Ensure you???re following RESTful guidelines and stick to principles and policies designed to help you. Finally, set an AppSec performance monitoring lifecycle to ensure that code you write and deploy meets industry standards.

Practice coding securely and preventing vulnerabilities in our complimentary Security Labs Community Edition.

Application Security Research, News, and Education Blog

Share
Tweet
Pin
0 Shares
Tagged under: Attacks, CSRF, preventing

Click here now to visit our Shop!

Click here now to visit our Shop!

Other 2300 users like you have already done it this year!

Choose the product you need here!

  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING WITHOUT ROOT UNIQUE IN THE WORLD WITH ALL THE APPS !!! 499,99€ 249,99€
  • HACKER LIBRARY THE LARGEST COLLECTION OF BOOKS AND MANUALS ON HACKING + 100 !!! 99,99€ 49,99€
  • HACK SOCIAL THE GUIDE TO HACK ALL THE SOCIAL ACCOUNTS 99,99€ 49,99€
  • HACKER PACK FOR YOUR SMARTPHONE AND YOUR TABLET WITH ROOT GUIDE AND + 100 PROGRAMS !!! 99,99€ 49,99€
  • THE FIRST TRUE ANDROID SMARTPHONE FOR HACKING UNIQUE IN THE WORLD WITH ALL THE APPS !!! 599,99€ 299,99€
  • HACKER PACK FOR YOUR COMPUTER AND NOTEBOOK + 1000 PROGRAMS 5 GB OF STUFF !!! 99,99€ 49,99€

Our customers say

Annabel M. – Systems Engineer

 
Samuel D. – Ethical Hacker

 
Karola M. – Influencer

 
Marcus P. – Private Investigator

 
Rosemary S. – Housewife

 
Amit V. – IT Consultant

 
Matthew C. – Entrepreneur

 
Aisha B. – Computer Science student

 
Li W. – IT Analyst

 
Robert C. – Programmer

 

DOWNLOADED 1316 TIMES!

DOWNLOADED 1316 TIMES!

Download now Hacker Secret our free Android app.

CONTACT US NOW FOR IMMEDIATE SUPPORT!

Contact Us
Write your email address here
Write here how we can help you - we support you immediately for all your needs!

## Are you looking for products for hacking, computer security and penetration testing? Do you need to clean up your smartphone, your PC or your site from viruses and malware? Do you need to track down someone or retrieve urgent information? Do you want to buy devices already configured to experiment all the hacking techniques quickly and easily? Do you have special needs in software or hardware? ##

Contact us now … another 2300 users like you have already done it this year!

Click here now!

 

Search on the site

Latest posts

  • Veracode CEO on the Relationship Between Security and Business Functions: Security Can’t Be Effective in a Silo

  • Half a million stolen French medical records, drowned in feeble excuses

  • Google looks at bypass in Chromium’s ASLR security defense, throws hands up, won’t patch garbage issue

  • Announcing Veracode in AWS Marketplace: Streamlining Secure Software Development for AWS Customers

  • Imperva pretty adamant that security analytics aggregator product Sonar is not ‘one dashboard to rule them all’

All the techniques, products and services described or contained on this site are intendend for exclusive use of study and professional training and to test the security of own's computer network in accordance with the national legislations on access to computer and online systems. All the services provided on this site (penetration testing, social accounts hardening, Incident Response & CSIRT, MSSP, Cybersecurity Consultancy, etc.) can be provided only with prior written and documented authorization from the owners or their legitimate representatives in accordance with current national regulations .

TOP