OWASP Top 10 – Cross Site Request Forgery

  • Force an authorized user to send forged HTTP requests (utilize victim session data)
  • victim must be logged in.
  • These requests are considered as legitimate by vulnerable server-side application.

Accepting un-validated inputs, storing it in the database, presenting it to the user upon request and when logged in user accesses it the exploitation occurs.

Solutions

  • Unique token in hidden field (this causes value to be sent in the message body and not in the URL of request)
  • Require user to re-authenticate before making a sensitive/important request.
  • implement Captcha
  • mobile SMS/OTP verification.

What's on your mind?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.