PARTS:
Part 7
Part 8
Part 9
Part 10
Part 11
Part 12
Part 13
Part 14
Part 15
Part 16
Part 17
Part 18
Part 19
Part 20
Part 21
Part 22
Part 23
Part 24
Part 25
WHAT'S HOT
Brad Ediger
"Advanced Rails"
The basic problem is that the wrong HTTPverb was used.
We will revisit this discussion in Chapter 7, when we discuss the REST architectural
style.
Figure 5-1. Cross-Site Request Forgery
Attacker??™s
site
Client Target 2
GET /instant_purchase?id=123 HTTP/1.1
Cookie: auth_token=ao98gaw4
1
Web Issues | 143
However, cross-site request forgery is not limited to GET requests. There are several
ways for an attacker to create a POST request using JavaScript, including
XmlHttpRequest and creating and posting hidden forms. Using the proper HTTP
actions alone is not sufficient to defend your application.
In this case, secret form tokens are helpful. The idea is to generate a token for each
session that is included as a hidden field in every form. The token is an HMAC (hash
message authentication code) of the session ID. This gives the token two important
properties:
??? It is hard or impossible for an attacker to generate a valid token given only the
session ID, so the token certifies that the server generated the session ID.
??? The token changes with each session.
A valid token corresponding to the current session ID must be included with each
request that has side effects. If the token is not present or invalid, the action is canceled.
This prevents the attack, because the attacker has no way to include a valid
token with the client??™s request to the target application.
Pages:
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224
We will revisit this discussion in Chapter 7, when we discuss the REST architectural
style.
Figure 5-1. Cross-Site Request Forgery
Attacker??™s
site
Client Target 2
GET /instant_purchase?id=123 HTTP/1.1
Cookie: auth_token=ao98gaw4
1
Web Issues | 143
However, cross-site request forgery is not limited to GET requests. There are several
ways for an attacker to create a POST request using JavaScript, including
XmlHttpRequest and creating and posting hidden forms. Using the proper HTTP
actions alone is not sufficient to defend your application.
In this case, secret form tokens are helpful. The idea is to generate a token for each
session that is included as a hidden field in every form. The token is an HMAC (hash
message authentication code) of the session ID. This gives the token two important
properties:
??? It is hard or impossible for an attacker to generate a valid token given only the
session ID, so the token certifies that the server generated the session ID.
??? The token changes with each session.
A valid token corresponding to the current session ID must be included with each
request that has side effects. If the token is not present or invalid, the action is canceled.
This prevents the attack, because the attacker has no way to include a valid
token with the client??™s request to the target application.
Pages:
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224