[Owasp-bahrain] Fwd: Re: [OWASP-Security101] CSRF token in a variable instead of hidden field

Ali Khalfan ali.khalfan at gmail.com
Sat Jun 6 15:47:13 UTC 2015


Might be of interest


-------- Forwarded Message --------
Subject: Re: [OWASP-Security101] CSRF token in a variable instead of
hidden field
Date: Sat, 6 Jun 2015 15:07:22 +0000 (UTC)
From: Jason Li <jason.li at owasp.org>
To: Alex Scherbanov <alex at egotv.ru>, security101 at lists.owasp.org

Using a CSRF sync token in a hidden field is one way of protecting your
application from CSRF attacks.
Note that the idea of the token value is that it is different for every
user (ideally different per session or even per request) so if the page
is truly static, you couldn't place the token value there as it would be
the same for everyone.
The reality with SPAs though is that since they often use XHR, you can
use another CSRF defense instead of a CSRF sync token in a hidden form
field. You can set a custom header in your XHR that your server side
code specifically looks for. If that header is not present, then the
application rejects the request.
Because an XHR request cannot set header values a cross domains and
because HTML form submits cannot set headers, there is (generally) no
way for an attacker to generate a forged request via CSRF with a custom
header. (Note there have been some browser vulnerabilities historically
that have allowed such behavior but that is rare).
AngularJS (a popular framework used for SPAs) uses exactly this header
model for its CSRF defense.
-Jason



    _____________________________
From: Alex Scherbanov <alex at egotv.ru>
Sent: Friday, June 5, 2015 1:49 PM
Subject: [OWASP-Security101] CSRF token in a variable instead of hidden
field
To:  <security101 at lists.owasp.org>


Hello.
I’ve just read a chapter on CSRF syncronizer token:
https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern

I want to create a single page application.
Do I understand correctly that recommendation to have CSRF sync token in
a hidden form field is for static html pages?
The purpose of the token is to prove the request was sent from the page,
not from a link in an email.
Then for an SPA I can just have this token in a variable and send it
with every ajax request, right?

   Alex Scherbanov

_______________________________________________
Security101 mailing list
Security101 at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101
List Run By OWASP
List Admin: Michael.Coates at owasp.org
_______________________________________________
Security101 mailing list
Security101 at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101
List Run By OWASP
List Admin: Michael.Coates at owasp.org




More information about the Owasp-Bahrain mailing list