4 Cross-site request forgery

 

This chapter covers

  • How Cross-Site Request Forgery works;
  • Which consequences Cross-Site Request Forgery may bring;
  • Preventing Cross-Site Request Forgery;
  • Protecting from Cross-Site Request Forgery by protecting cookies;
  • How ClickJacking is related to Cross-Site Request Forgery, and how it may be prevented.
  • How the Same-Origin Policy can help against Cross-Site Request Forgery, and why Cross-Origin Resource Sharing is needed.

In 2005, security researcher Samy Kamkar found a security vulnerability in the then popular social network, MySpace (if you’ve been around long enough, you might remember that service). He managed to inject JavaScript code into his profile page, a classical Cross-Site Scripting (XSS) attack as explained in chapter 2. The JavaScript code, however, did something really interesting: when executed, it issued an HTTP request on the victim’s behalf, adding them to Kamkar’s friends list. This started a chain reaction, and less than 20 hours later, Kamkar had over one million friends on MySpace.

NOTE

Kamkar himself provided a detailed reconstruction of the events at https://samy.pl/myspace/, and a thorough technical description of the attack at https://samy.pl/myspace/tech.html. However I recommend that you read this chapter first, so that you know all the required technical details about these kind of attacks.

4.1 Anatomy of a Cross-Site Request Forgery Attack

 
 

4.2 Cross-Site Request Forgery Countermeasures

 
 
 

4.2.1 Making the HTTP Request Unpredictable

 
 
 

4.2.2 Securing the Session Cookie

 
 
 
 

4.3 Clickjacking

 
 
 

4.4 Cross-Origin Resource Sharing

 

4.5 Summary

 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest