Highest Voted 'csrf' Questions - IT Security Stack Exchange

112

votes

8 answers

Why refresh CSRF token per form request?

In many tutorials and guides I see that a CSRF token should be refreshed per request. My question is why do I have to do this? Isn't a single CSRF token per session much easier than generating one per request and keeping track of the ones…

csrf

asked Oct 20 '12 at 11:15

Philipp Gayret

1,433
2
11
14

87

votes

5 answers

CSRF protection with custom headers (and without validating token)

For a REST-api it seems that it is sufficient to check the presence of a custom header to protect against CSRF attacks, e.g. client sends "X-Requested-By: whatever" and the server checks the presence of "X-Requested-By" and drops the request if the…

csrf

asked Oct 30 '12 at 09:59

Mads Mobæk

973
1
7
7

31

votes

4 answers

Is checking the Referer and Origin headers enough to prevent CSRF, provided that requests with neither are rejected?

Is it possible to prevent CSRF by checking the Origin and Referer headers? Is this adequate, provided that requests with neither are blocked?

csrf

asked Apr 25 '17 at 00:48

Demi

879
1
6
12

22

votes

3 answers

Why is the synchronizer token pattern preferred over the origin header check to prevent CSRF

I am well aware of the concept of CSRF, and I think I am also aware of the possible protection possibilities, as described by OWASP. However, I'm not sure why the synchronizer pattern seems to be preferred, if we could just as easily check the…

csrf

asked Jun 09 '15 at 09:27

Michael

5,483
3
35
58

20

votes

4 answers

CSRF Token in GET request

According to the OWASP testing guide a CSRF token should not be contained within a GET request as the token itself might be logged in various places such as logs or because of the risk of shoulder surfing. I was wondering if you only allow the CSRF…

csrf

asked May 30 '13 at 11:33

Lucas Kauffman

54,437
17
116
196

11

votes

2 answers

Why does Double Submit Cookies require a separate cookie?

According to OWASP: When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. (emphasis mine) Why does the CSRF token…

csrf

asked Jun 16 '14 at 03:36

Gili

2,169
3
24
43

10

votes

1 answer

When should I generate a new CSRF token

I'm building a CSRF prevention method in our application framework. I use, inter alia, the OWASP site. We have chosen for the "Double Submit Cookies" prevention meassure, described at the OWASP CSRF cheat sheet The cheat sheet states: When a user…

csrf

asked Dec 15 '14 at 20:40

Julian

536
7
19

10

votes

3 answers

CSRF: Random value or HMAC

I've seen several implentations of CSRF tokens: The first one uses randomly generated CSRF tokens which uses a cryptographic strong random generator to generate the token. The second implementation I found uses HMAC which encrypts the session id…

csrf

asked Feb 25 '14 at 15:40

Lucas Kauffman

54,437
17
116
196

9

votes

1 answer

Is the double submit cookie pattern still effective?

I ran across this OWASP paper and was frankly confused. I thought this pattern was still one of the cornerstone strategies against CSRF but the paper seems to say it's broken. Should this pattern still be…

csrf

asked Nov 06 '19 at 18:14

temporary_user_name

812
1
9
17

8

votes

2 answers

How does github.com implement CSRF mitigation

I had a look into CSRF recently. The recommended mitigation strategy is to implement the Synchronizer Token Pattern. When you look at the details, the question comes up how often these tokens need to be changed. Again, the general recommendation is…

csrf

asked Oct 19 '15 at 16:09

user32387

398
1
6

6

votes

2 answers

CSRF protection for unauthenticated requests, actions, searches or comments?

I have gone through the example of CSRF funds transfer from a bank where the user is logged in. Similarly I have looked at CSRF in case of email updating. I think I understood it but I am not quite sure if it extends to unauthenticated requests/…

csrf

asked Apr 13 '15 at 10:18

Sanchit Sharma

331
5
9

6

votes

3 answers

Does CSRF work when the target site is not open on a tab?

This is an example attack scenario of OWASP for CSRF The application allows a user to submit a state changing request that does not include anything secret. For example:…

csrf

asked Jun 14 '13 at 14:38

user15194

5

votes

4 answers

Is it worth checking the referrer?

I have researching CSRF and one thing on the list, I feel is questionable. I am not sure if "checking the referrer" is worth doing or not. Some articles I read, are saying something of this nature: However, this is risky, as some corporate…

csrf

asked Aug 13 '15 at 16:24

imGreg

151
3

5

votes

4 answers

How to share CSRF token to client application?

I have two different web application. Services web app has REST Services defined. Client web app has JSP pages which makes call to REST services using Ajax to get the data and display in the UI. I want to implement OWASP CSRF Gaurd 3 for my REST…

csrf

asked Oct 08 '13 at 09:41

MShah

281
2
4
6

5

votes

1 answer

Why can CSRF attack be prevented by issuing CSRF tokens?

The common way to prevent CSRF requests: Each time the user loads a page that contains a form to be POSTed, the user is issued a CSRF token that it supposed to be unknown to potentially malicious third-party sites. The token is issued both as a…

csrf

asked May 18 '18 at 12:25

gaazkam

6,015
11
28
45

Questions tagged [csrf]