CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. The most commonly used example is "someone tricking you to click on a link to be able to get hold of your logged on banking session and then withdraw money from your bank account without your consent/knowledge." For more information please refer to OWASP CSRF page.[1]
Also, note that CSRF attacks are also known by following names: [1]
- XSRF
- Sea Surf
- Session Riding
- Hostile Linking
- One-Click attack (Microsoft)
Based on the Verizon Data Breach Investigation report of 2011 less than 1% of hacking attacks were carried out using CSRF to cause some sort of damage or data loss.
What is the solution?
Fortunately, OWASP has provided a non-invasive solution i.e. CSRFGuard, so that, anyone can protect their application within a matter of few hours if not minutes. The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptographically random synchronizer tokens) are submitted with the corresponding HTTP request. [3]
Implementing CSRFGuard [4]
- Download OWASP.CsrfGuard.jar from here and place it under /WEB-INF/lib
- Declare CsrfGuard in your web application's deployment descriptor i.e.web.xml as shown below: <context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
</context-param>
<context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardListener</listener-class>
</listener>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> - Configure the Owasp.CsrfGuard.properties file as you see fit. org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.NewTokenLandingPage=/login.jsp
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.unprotected.Public=/login.jsp
org.owasp.csrfguard.unprotected.Public=/public/*
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=128
org.owasp.csrfguard.PRNG=SHA1PRNG
References:
[1] - Cross-Site Request Forgery (CSRF)
[2] - 2011 Data Breach Investigation Report Verizon
[3] - OWASP CSRFGuard Project
[4] - CSRFGuard 3 User Manual
Nice tutorial !
ReplyDeleteI've just tried to implement this solution in a spring application, but I am checking all the objects i nthe session and I haven't found any object with the key OWASP_CSRFTOKEN
OWASP_CSRFTOKEN = name your token free way
ReplyDeleteAfter I am done doing these three steps, what should I test to confirm that the CSRF implementation is working for my webapp?
ReplyDeletehow to validate the csrf token from server side
ReplyDelete