Your company sells toys online worldwide, which is supported by a three-tiered web-based E-Commerce system. To prevent CSRF (Cross-site request forgery) attack, which of the following is the most effective control?
A. Conduct awareness training
B. Submit transactions that change states through HTTP POST only
C. Append the hash value of transaction parameters to the query string
D. Put an authentication token in a hidden input in HTML forms in an obscure way
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Put an authentication token in a hidden input in HTML forms in an obscure way.
Conducting awareness training helps, but it’s not sufficient, because to err is human, and people are the weakest link in the security chain of the layered defense.
The main idea of the CSRF (Cross-site request forgery) attack lies in the “request forgery.” That is, HTTP requests as transactions can be forged to change the states. Two common approaches are sued to forge requests:
- Place transaction data or parameters in the query string of a URL, which is clicked by the victim user and submitted through HTTP GET by web browsers.
- Put transaction data or parameters in an HTML form. The victim clicks the “submit” button so that web browsers submit the form through HTTP POST. However, the attack may submit the form on the fly without the user’s intervention if the attacker has hijacked the session or the webserver has broken authentication.
The query string implies submitting requests through HTTP GET. It’s not an option to send transitions that modify states through HTTP GET.
It may help to submit transactions that change states through HTTP POST only, but CSRF can still be triggered through HTML forms that use HTTP POST and bypass the same-origin policy.
The last line of defense against CSRF is the authenticate HTTP requests. Every HTML form originated from the web server should be embedded with an authentication token or code. The HTML from returned from the client should be validated to avoid forgery.
- Cross-site request forgery
- Security through obscurity
- Query string
- Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
- Understanding multiple anti-forgery tokens in ASP.NET MVC
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.