CSRF Protection

It occurred to me that there is another way of providing protection against CSRF attacks, in addition to the ones already mentioned on Wikipedia.

There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted window.open() etc. As far as I know XHR is not one of these, because cross-domain rules kick in before the request is sent and not when the reply is read.

Both iframe and XHR will allow you to construct POST requests, the other attack mechanisms are restricted to GET only. With the iframe method, you use some DOM scripting to create a form that points to an iframe. This implies that only form-formatted data can be sent over an iframe POST request.

So in the Ajax world, it might be possible to have a CSRF-safe application that works simply by insisting on POST, and denying anything that is application/x-www-form-urlencoded. Clearly this technique won't work for non Ajax requests because it requires the browser to use XHR.

Obviously this is a fairly advanced technique, but it might be useful for anyone writing an Ajax library like for example DWR. I should see if I can't find a DWR tech-lead around here somewhere.

Anyone any clues on whether this might help as part of a defence in depth policy?

Responses[2]

Posted by Joe Walker on 07 February 2007 16:11:19 GMT #

Re: CSRF Protection

Comment from Jöern Zaefferer on 01 August 2008 16:45:42 BST #

Hey Joe, couldn't find a way to contact you directly, so I hope you get notified on comments even on old posts. I'm currently doing security research for my current project, starting with the OWASP Top 10.. I'm stuck on the advice for protection against CSRF attacks. OWASP says "[...] tokens can be unique to that particular function or page for that user, or simply unique to the overall session". The latter would be easier to implement, especially in regards to Ajax, as I wouldn't have to send a new token with every Ajax response, to be used for the next request. From my understanding, the unique token would be compromosed when faced with an XSS flaw, so the scope wouldn't matter much anyway. I couldn't find any arguments or examples for a token more focused then the user session. Do you have any advice or further material for that issue? Thanks Jörn

Re: CSRF Protection

Comment from Jöern Zaefferer on 01 August 2008 16:46:20 BST #

PS: It would be nice of your comment system to regard new lines as linebreaks...

Add a comment Send a TrackBack

2008 December (0) November (1) October (0) September (0) August (0) July (2) June (0) May (2) April (1) March (5) February (2) January (1)	2007 December (4) November (3) October (2) September (0) August (3) July (2) June (1) May (2) April (8) March (11) February (4) January (7)
2006 December (4) November (2) October (4) September (3) August (7) July (3) June (3) May (10) April (3) March (4) February (5) January (3)	2005 December (1) November (7) October (8) September (10) August (5) July (7) June (11) May (6) April (2)

Re: CSRF Protection Comment from Anonymous on 04 December 2008 04:08:13 GMT #
Title
Body	HTML : b, strong, i, em, blockquote, br, p, pre, a href="", ul, ol, li, sub, sup
Name
E-mail address
Website
Remember me	Yes No
E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

Username
Password
Remember me