Wednesday, December 19, 2012

Web Security: Preventing CSRF attack


CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. The most commonly used example is "someone tricking you to click on a link to be able to get hold of your logged on banking session and then withdraw money from your bank account without your consent/knowledge." For more information please refer to OWASP CSRF page.[1]

Also, note that CSRF attacks are also known by following names: [1]
  • XSRF
  • Sea Surf
  • Session Riding
  • Hostile Linking
  • One-Click attack (Microsoft)
How much risk?
Based on the Verizon Data Breach Investigation report of 2011 less than 1% of hacking attacks were carried out using CSRF to cause some sort of damage or data loss.

What is the solution?
Fortunately, OWASP has provided a non-invasive solution i.e. CSRFGuard, so that, anyone can protect their application within a matter of few hours if not minutes. The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML. When a user interacts with this HTML, CSRF prevention tokens (i.e. cryptographically random synchronizer tokens) are submitted with the corresponding HTTP request. [3]

Implementing CSRFGuard [4]
  1. Download OWASP.CsrfGuard.jar from here and place it under /WEB-INF/lib
  2. Declare CsrfGuard in your web application's deployment descriptor i.e.web.xml as shown below:     <context-param>
            <param-name>Owasp.CsrfGuard.Config</param-name>
            <param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
        </context-param>
       
        <context-param>
            <param-name>Owasp.CsrfGuard.Config.Print</param-name>
            <param-value>true</param-value>
        </context-param>
       
        <listener>
            <listener-class>org.owasp.csrfguard.CsrfGuardListener</listener-class>
        </listener>
       
        <filter>
            <filter-name>CSRFGuard</filter-name>
            <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>CSRFGuard</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
  3.  Configure the Owasp.CsrfGuard.properties file as you see fit. org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
    org.owasp.csrfguard.NewTokenLandingPage=/login.jsp
    org.owasp.csrfguard.TokenPerPage=true
    org.owasp.csrfguard.TokenPerPagePrecreate=false

    org.owasp.csrfguard.Ajax=true

    org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
    org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

    org.owasp.csrfguard.unprotected.Public=/login.jsp
    org.owasp.csrfguard.unprotected.Public=/public/*

    org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
    org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
    org.owasp.csrfguard.TokenLength=128
    org.owasp.csrfguard.PRNG=SHA1PRNG
NOTE: There are more configuration options that are available with CSRFGurard, please refer to configuration section for more details and detailed explanation of above properties.

References:
[1] - Cross-Site Request Forgery (CSRF)
[2] - 2011 Data Breach Investigation Report Verizon
[3] - OWASP CSRFGuard Project
[4] - CSRFGuard 3 User Manual

4 comments:

  1. Nice tutorial !
    I've just tried to implement this solution in a spring application, but I am checking all the objects i nthe session and I haven't found any object with the key OWASP_CSRFTOKEN

    ReplyDelete
  2. OWASP_CSRFTOKEN = name your token free way

    ReplyDelete
  3. After I am done doing these three steps, what should I test to confirm that the CSRF implementation is working for my webapp?

    ReplyDelete
  4. how to validate the csrf token from server side

    ReplyDelete