Reputation: 153
How to protect against CSRF
How can I protect my website against Cross-Site Request Forgery attack? I am visiting a "normal" website. (f.e. normal.php) In the background it loads another website (f.e. victim.php/send_comment) where I'm already logged in. The website fills the comment boxes of the victim.php with JS and automatically send the request.
In the web I always find the trick to use tokens against CSRF. But in this example, the website normal.php will get the token, when it loads the other website. Am I misunderstanding how the token works? If not, how can i prevent my site from accepting this request?
Upvotes: 3
Views: 510
Answers (1)
Reputation: 23322
The whole idea of CSRF is that you can't get victim.php/send_comment without a token from a previous page you've visited.
You form a "chain" of requests from your initial login until you get there, where each request is authorized by the previous one - unless you intercept the login page, there should be no way to forge requests.
The easiest and safest way of doing this is just using a web framework that handles CSRF for you. Doing it by hand is probably unnecessary and error-prone.
Upvotes: 1
Related Questions
- Steal CSRF token
- how to generate and validate csrf tokens
- Preventing CSRF?
- Prevent CSRF Vulnerabilities, Alternative methods to CSRF Token
- CSRF protection techniques
- Passing a CSRF token
- How to does the token prevent csrf attack?
- CSRF and ever changing tokens
- anti-CSRF token and Javascript
- How do you protect against specific CSRF attack