Thursday, May 15, 2008

CSRF Protection

As of this posting CSRF (Cross Site Request Forgery) stands as fifth top most threat for web applications. For information on what CSRF is, read on http://www.owasp.org/index.php/Top_10_2007-A5

1. A good protection against this attack is to re-authenticate (like transaction password) or better use two-factor authentication for critical transactions like fund transfer. Taking the CSRF vulnerability from Hacme Casino a good solution would be ask for transaction password as shown in the screenshot below -


2. Another solution is to implement one time nonces. For more information refer the link mentioned above.

3. ASP.Net
Myth: Having ViewState enabled in a .Net web app would prevent against CSRF attacks.

Fact: Having ViewStateUserKey set and set to something that is distinct to each user like "ViewStateUserKey = Session.SessionID" will save you against CSRF attacks.

1 comment: