Prevent CSRF Attacks

What is CSRF Attack:

Cross-Site Request Forgery (CSRF) is a web security vulnerability, you can say it’s a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated.

A guide to preventing CSRF Attack:

Before that i will expose some security approach that used to prevent CSRF attack but i will expose some Prevention measures that do NOT work

Using Secret Cookie, Every cookie is submitting with request even admin or end user’s secret cookie will be also submitted with request. All authentication tokens will be submitted even the end-user was tricked into submitting the request or not. So this is not a very good idea to prevent CSRF attacks.

Only accepting POST requests, This is possible to design your application to accept only POST request. The misconception is that attacker can’t able to construct a malicious link and CSRF attack can’t be executed. Unfortunately this logic is really not so cool. There are thousands way how an attacker can trick a victim user in submitting a forged POST request by simple form with hidden value triggered by java-script. So this is hilarious preventive.

So, What’s really works against CSRF Attack??

In short, the following principles should be followed to defend against CSRF:

1. Check if your framework has built-in CSRF protection and use it
2. Always use Same Site Cookie Attribute for session cookies
3. Implement at least one mitigation from Defense in Depth Mitigation’s section
4. Use custom request headers
5. Verify the origin with standard headers
6. Use double submit cookies
7. Consider implementing user interaction based protection for highly sensitive operations
8. Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!
9. Do not use GET requests for state changing operations.If for any reason you do it, you have to also protect those resources against CSRF.

This method is most popular and easy to do method. All you have to do is just use to built in synchronizes token defenses, that’s have been built into many frameworks like- Django, .net and others. Some frameworks may not have built in CSRF protection token and need to add some external components. In Django you can use csrf token like this

Synchronizer Token Pattern:

CSRF token should generated on server side. They can be generated per user session or each request.

Request based CSRF token is more secure than session as attacker may have some time for exploit the token. Thus this could be different in your requirement but best practice is per request based CSRF token. Example: you may tap back button and again post any form with valid input but the previous CSRF is not will be valid of the server now. In per session CSRF token implementation after initial generation of token, the value will be stored in session and used for all request until the session is expires.

When a request is issued form user then the server need to verify the existence and validity of token. If the token is not valid then the request from user is abort and user session will be terminated and this will be logged in server as potential CSRF attack.

So the main point we should know that an attacker can’t make a valid post requests to the back-end without knowing the CSRF token.

So CSRF token need to be :

1. Secret
2. Unpredictable
3. Unique

CSRF token shouldn’t be transmitted with cookie.And also make sure that the token is not leaked in the server logs, or in the URL.

Write CSRF preventive Secure Code: <Practical demo>

* ASP.NET:

* Django:

A fully CSRF attack preventive django form example:

<form method="post">

    {% csrf_token %}

    {% for field in form %}
        {{ field.label_tag }}<br>
            {{ field }}
        {% if field.help_text %}
            <small style="color: grey">{{ field.help_text }}</small>
            <br><br>
        {% endif %}
    {% endfor %}
    <button type="submit" class="btn">Submit</button>
 

</form>

If you want to deploy a whole web project and must be CSRF attack preventive then you can follow my github link below: