Register now or log in to join your professional community.
What products and scanners have you used successfully for detection and remediation of CSRF?
1- Request confirmations to the user for critical actions, the risk of burdening the sequence of forms.
2- Request confirmation of the old password for the user to change it or change the email address of the account.
3- Use tokens in forms of validity: make a posted form is accepted if it has been produced a few minutes ago: the token will be valid evidence. Token validity must be submitted and verified parameter server side.
4- Avoid using HTTP GET requests to perform actions: this technique will naturally eliminate simple attacks based on the pictures, but will pass through attacks based on JavaScript, which are able to easily make HTTP POST requests.
5- Conduct an audit of the "referer" in sensitive pages: know the provenance of client enables secure such attacks. This is to block the client's request if the value of the "referer" is different from the page where it should theoretically come.
Anti-forgery tokens work because the malicious page cannot read the user’s tokens, due to same-origin policies. To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.
You should require anti-forgery tokens for any nonsafe methods (POST, PUT, DELETE). Also, make sure that safe methods (GET, HEAD) do not have any side effects. Moreover, if you enable cross-domain support, such as CORS or JSONP, then even safe methods like GET are potentially vulnerable to CSRF attacks, allowing the attacker to read potentially sensitive data.
Razor HTML
@using (Html.BeginForm("Manage", "Account"))
{
@Html.AntiForgeryToken()
}
C#
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
// ... etc
}
Agree with Iqbal Bhai
The simplest method is to use AntiForgery token , the antiforgery token should comprise of a Salt (which needs to be changed regularly) , some User specific data(username or something) and timestamp if you want to timeout sessions.
The simplest option to prevent CSRF attacks is to define a unique token for each user and send them across with the encrypted format and validate them at the other end. We can then validate and ignore the invalid/ unauthenticated source of request.
The first thing is to limit the posts to be execute from just one domain, this will avoid the typical scenario of getting hacked from an external domain. The second thing is to add tools like tokens or extra authentication ways to make sure the user is completely validated into the system.
the simple way to prevent CSRF is,giving an unique Id then send them across the other end.then it can easily b prevent
1.Using Encryption
2.By using Strong authentication token system
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
Impacts of successful CSRF exploits vary greatly based on the role of the victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. If the targeted end user is an administrator account, a CSRF attack can compromise the entire Web application. The sites that are more likely to be attacked are community Websites (social networking, email) or sites that have high dollar value accounts associated with them (banks, stock brokerages, bill pay services). This attack can happen even if the user is logged into a Web site using strong encryption (HTTPS). Utilizing social engineering, an attacker will embed malicious HTML or JavaScript code into an email or Website to request a specific 'task url'. The task then executes with or without the user's knowledge, either directly or by utilizing a Cross-site Scripting flaw (ex: Samy MySpace Worm).
1-Using unpredictable random Anti-forgery tokens
2-Using samesite flag in cookies
3-avoid using HTTP GET requests in sensitive actions