Using a token in an HTML form does it actually protect against CSRF?

Navigation
1
  

Cross-site request forgery - CSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user who trusts the website. Unlike cross-site scripting (XSS), which exploits a user's trust for a particular site, CSRF exploits a site's trust in a user's browser.

Reference

I just asked the question about using token in a input hidden of a form to avoid CSRF - Cross-Site Request Forgery ; and I had a question.

Even using tokens in login forms and the like, is it still possible to forge a request?

Are there other ways, besides the csrf token, to protect against this type of attack?

    
asked by anonymous 13.02.2015 / 14:09

1 answer

1

To use tokens only does the prevention, not there is a real guarantee of protection.

This attack can be prevented in several ways. Using the Synchronizer Token Pattern is one way the application can rely on politics of the same origin to avoid CSRF , maintaining a secret key to authenticate requests.

By adopting the Synchronizer Token Pattern you ensure that every order requires, in addition to the session cookie, a randomly generated token as an HTTP parameter.

For each application that submits the application, you should look up the expected value for the parameter and compare it with the actual value of the request, if the values do not match, the request should be aborted and if possible reset the token and log this event as a potential attack.

This can be done safely from the policy of the same origin to ensure that the malicious website Do not read the answer. Most current browsers implement this policy, so we may believe this solution is appropriate for this type of attack.

Here shows some solutions that not should be adopted and shows alternatives that can be used without the Synchronizer Token Pattern .     

13.02.2015 / 17:14
How to query date ranges from another table? Clear subfilter selection