O Preventing Cross Site Request Forgery

Web applications should be designed to have a unique entry in each individual HTTP request to prevent the attacker from knowing the URI required to make the malicious request, as shown here. This unique entry should be in addition to the cookies that are used to keep session state.

http://www.example.com/password.php?id=a52 9cd928fb2 9f985e http://www.example.com/password.php?id=ed014 3c5a2c9512 0b1

Utilizing confirmation pages and reauthentication for sensitive functions within the web application will also make it harder for attackers to carry out this attack successfully since they would need either to request multiple pages to achieve the goal, which is possible using AJAX, or to enter in details that only the user would know, such as the original password.

In highly secure environments, different browser products should be used for accessing the Internet and for accessing sensitive web applications, such as Opera or

Firefox. The default web browser should not be used to access the sensitive web applications. This will ensure that sessions are not able to be abused via malicious links.

Sessions should be forced to timeout when they exit the application by simply going to a third-party domain. This will prevent malicious sites triggering CSRF attacks when the authenticated user visits them. The following code snippet is an example piece of AJAX code that detects the user leaving the web application's domain and, therefore, triggers a request to terminate the session.

function logout() {

xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");

xmlHttp = new XMLHttpRequest();

xmlHttp.open("post","LogOutScript.php?Type=LogOut",true); xmlHttp.send(null);

window.onbeforeunload = logout;

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment