*
The moose likes Security and the fly likes Cross Site Request Forgery (CSRF) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Cross Site Request Forgery (CSRF)" Watch "Cross Site Request Forgery (CSRF)" New topic
Author

Cross Site Request Forgery (CSRF)

Ashik Uzzaman
Ranch Hand

Joined: Jul 05, 2001
Posts: 2370

I started with the entry in http://en.wikipedia.org/wiki/Cross-site_request_forgery to understand what is CSRF and how to prevent it. I see people talking about preventing CSRF attack through token generation. I should say that it's still not very clear to me and wanted to have some discussions with you on this.

I understand that we can generate some security tokens for ave the timestamp for each user session and next time a request comes, check against that token and timestamp. However, what I am not understanding (in a broad sense) is how it is different from just using a regular session attribute or using a cookie. The steps to use token as far as my understanding goes are -

1) Generate a token, use md5 or random number or anything that an attacker can't guess on.
2) Use a hidden field in the form (for POST) or a URL parameter (for GET) as token value where you can put the generated token's value.
3) For each user request, determine if the token is already present there or not and match that with the token value (and time stamp with a safe time-to-live) of session attribute/request attribute.

This means, I have to add the logic of checking this into a filter or controller where I can inject the token or check the condition of the token validation.

But what about checking a first time user request? At that time, the new session is created, right? So the first page must be shown as the token is not present. So if I have already shown the first page or executed the first URL, then I failed to prevent a CSRF attack for that first page/URL. Is that okay?

If you put some comments that will help me clarify my thoughts and understanding on this topic. Thanks in advance.


Ashik Uzzaman
Senior Member of Technical Staff, Salesforce.com, San Francisco, CA, USA.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
The first page -where a session is created- would typically be the page after the login. That would presumably require the user to have sent username and password, something he needs to type in - that can't be done through a CSRF.


Ping & DNS - my free Android networking tools app
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Cross Site Request Forgery (CSRF)
 
Similar Threads
Session expire problem with HttpSessionListener
How do I use tokens to prevent user from multiple submission
windows.history.back() with tokens
XSS attack - prevention - AJAX ?
Need suggestion for preventing website from security breaches