All geek questions in one place

GET CSRF Link Protection

I need to add CSRF protection to a web application.

The problem is that the application is heavily dependent on links (GET requests that are) to make changes to the database.

Links are generated using the class, so I can easily add an extra parameter for the CSRF token for each link.

However, I understand that the CSRF token in the GET request may not be sufficiently protected.

Please note that the application is accessible only through HTTPS, therefore GET transmission parameters cannot be set / stolen during data exchange between the client and server (but the problem with history theft remains).

Could the GET CEFF token be considered "fairly safe" in this setting?

If not, what is the best way to solve this problem? The only thing that comes to my mind is to wrap each of my links in a form (broadcast explicitly or create an onSubmit form using JavaScript).

+4
source share
1 answer

In order to be able to read the response to the CSRF attack request, the attacker will need to force the victim to execute his JavaScript code. Thus, CSRF for the GET request is almost not useful. This assumes that you have followed standards that GET requests should not modify any data, and any changes should only be made using POST

  • Using cookie and SSL authentication should keep you away from a guy who is trying to change settings.
  • You might want to enter some signature based on the timestamp to avoid replay attacks.

However, if you have POST requests, you should consider protecting CSRF.

+4
source

Source: https://habr.com/ru/post/1433584/

More articles:


All Articles