WEB

Preventing CSRF Attacks

What is CSRF?

CSRF – Cross-site request forgery, also known as XSRF, is a type of exploit. CSRF works by exploiting the trust that a site has for a user. If a user is logged into the site and has a validated login cookie, the attacker tricks the user into loading a page in the browser to make a malicious request.

How to perform a CSRF attack?

common ways:

<script src=”http://example.com/index.php?cmd=test”>
<img src=”http://example.com/index.php?cmd=test”>
<iframe src=”http://example.com/index.php?cmd=test”>
..

How to prevent CSRF in my applications?

> Limit the lifetime of session cookies
> Require an unpredictable, randomly generated, hashed, time limit, unique per user session token in all requests
> Require the user to re-authenticate herself to perform any operation such as password change etc
> Checking the HTTP Referer Header
> Use POST requests instead of GET requests

!Important
You must apply all the above to protect your application not just one.