First, a brief description of XSRF:
- User browses some-attacker.com/evil.html
- evil.html contains, for example, an
<img> (or some JavaScript that submits a POST form, ...) with the URL "www.your-nice-site.com/doSomeAction" - This causes the user's browser to automatically send a GET or POST request to your site and perform the action on behalf of the user. Unfortunately, user cookies for www.your-nice-site.com are also sent automatically with the request, therefore (and here is the problem) , if the user is logged in, the request arrives as completely resolved by the user on your server (that is, if your the server does not require an additional anti-XSRF token).
Now itβs easy to notice that XSRF cannot be used to attack the login service, because at that moment the user has not logged in yet - the attacker will need to find out the user credentials for logging on to the system. (If the user is already logged in, then the call to the login service should do nothing! [*])
Note. Of course, an attacker can use other methods to attack user credentials, first of all: phishing. Anti-XSRF measures cannot protect you from this.
[*] If you have services that cannot be protected with the anti-XSRF token (for example, login services), then make sure that they do not return valid JSON / JavaScript containing valuable information!
If you absolutely need to, then always complete the answer in JavaScript comments ( /* */ ), as described in http://code.google.com/webtoolkit/articles/security_for_gwt_applications.html#json . Or even better: Prepare the answer with while(1); as described in Why there is "while (1);" in the answer of XmlHttpRequest? . In any case, this is a good practice.