Does using a token in an HTML form really protect against CSRF?

Asked

Viewed 1,216 times

1

Cross-site request forgery - The CSRF (Cross-site request forgery- Cross-site request forgery) is a type of malicious exploitation of a website by which unauthorized commands are transmitted from a user who trusts the website. Unlike cross-site scripting (XSS), which exploits a user’s trust for a particular site, CSRF exploits a site’s trust in a user’s browser.

Reference

I have just asked the question regarding the use of token in a input hidden a form to avoid the CSRF - Cross-Site Request Forgery; and I came up with a question.

Even using tokens in login forms and the like, it is still possible to forge a request?

There are other means, besides csrf token, to protect against this type of attack?

http form csrf

1 answer

1


Utilise tokens only makes prevention, there is a real guarantee of protection.

This attack can be prevented in several ways. Using Synchronizer Token Pattern is a way that the application can rely on the same origin policy to avoid CSRF, keeping a secret key to authenticate orders.

By adopting the Synchronizer Token Pattern you ensure that every request requires, in addition to cookie session one token randomly generated as an HTTP parameter.

Each request that is submitted to the application should look for the expected value of the parameter and compare it with the actual value of the request, if the values do not match, the request should be aborted and if possible reset the token and register this event as a potential attack.

This can be done safely from the same origin policy ensure that the malicious website does not read the answer. Most current browsers implement this policy, so we can believe that this solution is suitable for this type of attack.

Here shows some solutions that nay alternatives that can be used without the Synchronizer Token Pattern.

Browser other questions tagged http form csrf

You are not signed in. Login or sign up in order to post.