[Webappsec] blocking CSRF attacks
Stephen de Vries
stephen at twisteddelight.org
Tue Dec 18 03:22:56 EST 2007
On Dec 14, 2007, at 7:57 PM, Paul Johnston wrote:
> Hi,
>
>> any one on the list aware of any IDS/IPS capable of blocking CSRF
>> attacks? If not, what will be the best policy to block CSRF.
>>
> The best fix is to code you application to include a random token on
> all forms that cause an action, and validate this when the form is
> submitted.
If the token is only on the form, then this is still vulnerable to
CSRF as the attacker would just need to write a bit of JavaScript that
gets the page the form is on first, then reads the token and then
posts the form using the valid token. So for the random token to
work, it would have to be applied to the whole click through route a
user can take to get to a form from login... and each link must
validate the previous token.
Stephen
More information about the Webappsec
mailing list