1. The best defense against CSRF attacks is unpredictable tokens, a piece of data that the server can use to validate the request, and which an attacker can’t guess. For example, an important request could contain a digest of the user’s session credential, which is different for every user. And, for a little extra security, add a timestamp to the token, to limit the window of opportunity, as shown in the POST body below:
POST http://fictitiousbank/transfer.cgi HTTP/1.1 Host: fictitiousbank User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 Firefox/3.6.2 Cookie: PHPSESSIONID=7757ADD8766d455NFJJ23875JBJKBFR from=35367021&to48412334&amount=5000&date=05072010&token=40E03EF45T443W20K4IC567HY4334DD44×tamp=1184001456The tokens used should also be cryptographically very strong.
2. Challenge-Response
Challenge-Response is another defense option for CSRF. The following are some examples of challenge-response options.
Challenge-Response is another defense option for CSRF. The following are some examples of challenge-response options.
- CAPTCHA
- Re-Authentication (password)
- One-time Token
While challenge-response is a very strong defense to CSRF (assuming proper implementation), it does impact user experience. For applications in need of high security, tokens (transparent) and challenge-response should be used on high risk functions
3. Limit the time for which the user’s credentials are valid. By enforcing
inactivity timeouts, you reduce chances of CSRF attacks.
4. Password
re-verification should be given priority over single-sign on. In this
method, the users must type in their passwords again when accessing
particularly critical functions.
5. Client/User Prevention
Since CSRF vulnerabilities are reportedly widespread, it is recommended to follow best practices to mitigate risk. Some mitigating include:
5. Client/User Prevention
Since CSRF vulnerabilities are reportedly widespread, it is recommended to follow best practices to mitigate risk. Some mitigating include:
- Logoff immediately after using a Web application
- Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login
- Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).
- The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript the attacker would have to trick the user into submitting the form manually.