Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • Cross-Site Request Forgery (CSRF)

    • 0
    • 0
    • 0
    • 0
    • 1
    • 0
    • 0
    • 0
    • 366
    Comment on it

    Cross-Site Request Forgery (CSRF) mainly occurs when user logs in vulnerable site and then user visit the malicious site in the another tab of browser. Malicious site may contain some code which can call actions/methods from vulnerable site.
    For example:

    1. User logs in www.vulnerablesite.com using credentials.
    2. User gets authorize using form authenticaion and set cookies to browser.
    3. Now, if user visits mailicious site i.e. www.mailicioussite.com which contains following code:
      <form action="http://vulnerablesite.com/transaction" method="post">
      	<input type="hidden" name="accountnumber" values="xxxxxxxxxxxx" />
      	<input type="hidden" name="amount" values="100000" />
      	<input type="submit" value="click me" />
      </form>
      The CSRF part is the form action posts to vulnerable site instead of malicious site.
    4. After pressing "click me" button by user, the browser will add authenticaion cookie with the request.

    5. This request will be authenticated on server with the user authenticaion context and can do anything that authenticated user is allowed to do.

    To prevent CSRF attacks, ASP.NET uses anti-forgery tokens which is also called as "request validation token".
    In this approach, the client request a HTML pages which cont a form. The server includes two token in the response. One token sent as a "Cookie" and the other is placed in a hidden form field. When the client submits the form, both tokens send back to server. If a request does not include both tokens, the server deny the request.

 1 Comment(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: