[OWASP-Security101] Inquiry on csrf prevention solution

Sarah Baso sarah.baso at owasp.org
Thu Apr 26 13:12:44 UTC 2012


All -
We received the inquiry below via the OWASP Contact Us page, and thought
this would be the appropriate forum to help!  I have cc'ed the sender for
your response (and recommended that he subscribe to the list).

Thanks!
Sarah Baso
-----------------------------------------------------------------------------------------------------------------------

Hello,

i want to discusse one idea i have to prevent rest requests from csrf atacks.
I don't have read about some solution like that. So i want to find out if i
missed somethink important. Additionaly if the soltution is usefull i want
to share it.

The Idea to prevent csrf in rest requests:
- before the client send the ajax request(which i want to make csrf secure),
a one time use random token is generated* (if this is not secure on client
side this can be get from backend by an pre-REST
request to the server).
- this token will be put to cookie from js
- this token will also be added per GET for the ajax request
- the server will compare the both values
- after the rest is successfull the client remove the value from the cookie

for me this method seems realy secure. the token will only be used once.
and an attackers's side as far as i know cant send a request with a custom
self settet cookie header. as far as i know the browser sends allways the
cookie header releated to the cookies which are set from responses of the
owner domain or per js of that domain.
Also this can be used for none REST requests if some JS magic will be adding
the token to cookie and GET paramter before the submit action is invoced.

* i think for common csrf-protection needs you can take a simple timestamp
instead of the random created token. the atacker needs to brute force the
timestamp in the time where one rest request will be processed. the time
slot will mostly be very small.

can someone please tell me if i have missed an important aspect?

thx and best regards
Andreas Schnapp


More information about the Security101 mailing list