CODEWITHSUNDEEP
spring-boothttpsecurityspring-securitycsrf
Ole
Ole

Reputation: 46920

Spring CSRF protection scenario?

I'm trying to better understand the mechanism for how Spring CSRF protection works. Suppose I have a site https://example.com/ where people can vote on candidates. Users can also exchange messages. I also have a user logged in, and another user that sends her a message saying to click on the link https://example.com/vote/candiate/30.

If a user clicks on this link, won't the browser send both the CSRF token and the session ID for the logged in user, thereby bypassing the CSRF protection check?

Upvotes: 1

Views: 135

Answers (2)

Gabor Lengyel
Gabor Lengyel

Reputation: 15570

The reason a link is usually not a problem regarding CSRF is that CSRF is only an issue when the request changes something. A link (a GET request) should not change anything. If it does, like in your example it adds a vote to the candidate I suppose, any link from an external origin (a different website) would also be able to exploit "normal" CSRF by just linking to that url.

The problem in the example is not that CSRF protection is inadequate in Spring, the problem is that voting in this case is a GET request, and GETs are not usually protected against CSRF by design. The solution is to change the vote request to a POST, which would then be protected against CSRF (and which would also be more RESTful btw).

Upvotes: 2

Serhii Soboliev
Serhii Soboliev

Reputation: 840

Main idea : When request is submitted, the server received special cookie and waits for defined value in this cookie. If this value will be differet , the request should fail. So, if service returns form for moving money between accounts, this form includes parameter, that expected to receive when form is submitted, and if data would be sent without this parameter, request wouldn't be proccessed

Upvotes: 0

Related Questions