Cross-Site-Request Forgery (CSRF)

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search


Cross-Site-Request Forgery

Victims are executing actions unwillingly on Webapplications they are authenticated to. Some of those actions are

  • changing password
  • changing email-addresse
  • changing user-role
  • create account
  • transfer money

Prevention

Synchronizer Token Pattern (STP)

This pattern includes a token, secret and a unique value in each request which is then validated by the server.

Cookie

Set the "SameSite" attribute to "Strict" to stripe it off all cross-origin requests.

Custom HTTP-Header

Custom-Header can only be added by JavaScript and only within its origin.