Tuesday, July 26, 2016

Cross Site Forgery Attack Prevention

What is CSRF ?

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated, CSRF exploits the trust that a site has in a user's browser: Reference
Below are several thing the attacker look for to execute the CSRF attack
  • Check a site that doesn't validate "Referer header" (which is common).
  • Find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password).
  • Lure the victim to a Web page with malicious code while the victim is logged in to the target site.

Approach for preventing CSRF

Web sites have various CSRF countermeasures available:
  • Checking the HTTP Referrer header for same domain name as current url;
  • Limiting the lifetime of authentication cookies
  • CSRF Token: Embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations.

Token based Approch

Embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations.
  • Generate the token for new session
  • Generate the hidden field for all form having token from session, this is the token in request
  • Compare the token from request and session in servlet filter to ensue they match, if the match is not found then the form is posted by attacker from unknown source, redirect them to login page
Generate the Token in put that in Session
If the session is new, generate the random token and encrypt it put that in the session

if (newSession) {
....
String encryptedCSRFKey=encrypted(UUID.randomUUID());
 request.getSession().setAttribute(CSRF_TOKEN,encryptedCSRFKey);
}
Generate the HTML field with the same token
2 approaches
  • Create taglib for <Form> element which will automatically inserts/generate a hidden html element with name "CSRFAuthKey"
  • Manually creating hidden html element with name "CSRFAuthKey". Sample code snippet for populating this is shown below
End goal is hidden field needs to be generated with token key as present in session
<input type="hidden" name="CSRF_TOKEN" property="<bean:write name="CSRF_TOKEN" scope="session" filter="true"/>"/>
Filter to authenticate extra token
Create the filter(servlet filter) which intercept every request and compare the posted token with session token

if (session == null) {
chain.doFilter(request, response);
return;
} else {
// validate the CSRF
String sessionToken = getSession().getAttribute("CSRF_TOKEN").toString();
String requestToken = httprequest.getParameter("CSRF_TOKEN");
if (sessionToken.equals(sessionToken)) {
chain.doFilter(request, response);
} else {
CommonUtils.updateSessionToken(session);
httpresponse.sendRedirect("/errorPage.jsp");
}
}
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)