[Owasp-csrfguard] Question about secure REST request for csrf

Andreas Schnapp mail2snap at googlemail.com
Fri Mar 23 12:11:48 UTC 2012


hi together,

i hope my question is not out of scope. I haven't found a generell
owasp mailing group for csrf related discussion/questions.

i want to secure REST requests for csrf attacks and have searched for
possible solutions. i'm not sure if your framework is a little bit
over sized for my needs.

i have found on wikipedia the following prevention: (
http://en.wikipedia.org/wiki/Cross-site_request_forgery )
"
A variation on this approach is to double submit cookies for users who
use JavaScript. If an authentication cookie is read using JavaScript
before the post is made, JavaScript's stricter (and more correct)
cross-domain rules will be applied. If the server requires requests to
contain the value of the authentication cookie in the body of POST
requests or the URL of dangerous GET requests, then the request must
have come from a trusted domain, since other domains are unable to
read cookies from the trusting domain.
"

i think some modification of this will work for me perfectly:
- before the client send the ajax request(which should be csrf
secure), a one time use random token is generated (if this is not
secure on client side this can be get from backend by an pre-REST
request to the server).
- this token will be put to cookie from js
- this token will also be added per GET for the ajax request
- the server will compare the both values
- after the rest is successfull the client remove the value from the cookie

for me this method seems really secure. the token will only be used
once. and an atacker can't set cookies for my domain on there side.
Also this can be used for not REST requests if some JS magic will be
adding the token to cookie and GET paramter before the submit action
is invoced.



can someone please tell me if i have missed an important aspect?

i'm sorry if this is the wrong place for the question. i someone give
me a hint i will post it on some other topic.

thanks for reading and best regards
Andreas Schnapp


More information about the Owasp-csrfguard mailing list