16 Cross-site request forgery
This chapter covers
- Managing session ID usage
- Following state management conventions
- Validating the Referer header
Sending, receiving, and verifying CSRF tokens
This chapter examines another large family of attacks known as cross-site request forgery (CSRF). A CSRF attack aims to trick the victim into sending a forged request to a vulnerable web site. CSRF resistance boils down to whether or not a system can distinguish a forged request from a user’s intentional requests. Secure systems do this via request headers, response headers, cookies, and state management conventions; defense in depth is not optional.
16.1 What is request forgery?
Suppose Alice deploys admin.alice.com, the administrative counterpart of her online bank. Like other administrative systems, admin.alice.com lets administrators such as Alice manage the group memberships of other users. For example, Alice can add someone to a group by submitting their username and the group name to /group-membership/.
One day Alice receives a text message from Mallory, a malicious bank employee. The text message contains a link to one of Mallory’s predatory websites, win-iphone.mallory.com. Alice takes the bait. She navigates to Mallory’s site where the following HTML page is rendered by her browser. Unbeknownst to Alice, this page contains a form with two hidden input fields. Mallory has pre-filled these fields with her username and the name of a privileged group.