Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cross-Site Request Forgery"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
[[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]]
 
[[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]]
  
=== Cross-Site Request Forgery (CSRF ) ===
+
=== Cross-Site Request Forgery (CSRF) ===
  
 
== Root Cause Summary ==  
 
== Root Cause Summary ==  
  
The root cause of CSRF is the Web site trusting the Web authentication or cookie-based session IDs without verifying that the authenticated user actually requested or authorized the request.
+
A vulnerable application processes a transaction using an existing session, without verifying that the transaction was intended to be initiated by the user and not a malicious 3rd-party site. CSRF is also known as Session Riding or Confused Deputy.
  
 
== Browser / Standards Solution ==  
 
== Browser / Standards Solution ==  
Line 23: Line 23:
 
== Generic Framework Solution ==
 
== Generic Framework Solution ==
  
Automatically generate and check tokens for all POST requests by default, with configuration-based exclusion list. Disallow state changes via GET requests, enforcing RFC.
+
Automatically generate and check tokens for all POST requests by default, following the Synchronizer Token Pattern with configuration-based exclusion list for transactions which must not or need not be protected against CSRF. Disallow state changes via GET requests, enforcing RFC.
  
 
== Custom Framework Solution ==
 
== Custom Framework Solution ==
Line 35: Line 35:
 
== Discussion / Controversy ==
 
== Discussion / Controversy ==
  
Cross Site Request Forgery is sometimes referred to as Session Riding.
+
CSRF tokens will be made obsolete by a browser/standards solution that allows a site owner to specify which external web sites are allowed to initiate transactions. The current HTTP specification by design allows any web site to initiate POST requests to any other web site on the behalf of its users.
 
+
While CSRF is very difficult to protect against, some potential solutions such as: Using a Secret Cookie; Only Accepting POST Requests; Multi-Step Transactions; or URL Rewriting do not always work. The best solution may be the use of a Synchronizer Token Pattern.  
+
  
 
== References ==
 
== References ==

Revision as of 02:55, 21 July 2013

Return to Periodic Table Working View

Contents

Cross-Site Request Forgery (CSRF)

Root Cause Summary

A vulnerable application processes a transaction using an existing session, without verifying that the transaction was intended to be initiated by the user and not a malicious 3rd-party site. CSRF is also known as Session Riding or Confused Deputy.

Browser / Standards Solution

Change default browser behavior to look for policy file for cross-domain writes instead of "default allow", transitioning through CSP framework.

Generic

None

Framework Solution

None

Perimeter Solution

None

Generic Framework Solution

Automatically generate and check tokens for all POST requests by default, following the Synchronizer Token Pattern with configuration-based exclusion list for transactions which must not or need not be protected against CSRF. Disallow state changes via GET requests, enforcing RFC.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

CSRF tokens will be made obsolete by a browser/standards solution that allows a site owner to specify which external web sites are allowed to initiate transactions. The current HTTP specification by design allows any web site to initiate POST requests to any other web site on the behalf of its users.

References

OWASP - Top 10 2013-A8-Cross-Site Request Forgery (CSRF)

OWASP - Cross-Site Request Forgery (CSRF)

OWASP - Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet

OWASP - OWASP CSRF Tester Project

OWASP - Testing for CSRF (OWASP-SM-005)

CWE-352: Cross-Site Request Forgery (CSRF)

WASC - Cross Site Request Forgery

CAPEC-62:Cross Site Request Forgery (aka Session Riding)