Cross-Site Request Forgery (CSRF) allows an attacker to carry out actions in a different security context such as another, logged in user. Read here, how you can efficiently fix a CSRF vulnerability.
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Cross-Site Request Forgery (CSRF) allows an attacker to carry out actions in a different security context such as another, logged in user. To achieve that, A Cross-site Request Forgery (CSRF) sends an HTTP request whenever a user opens a website containing malicious code. The code is embedded in such a way that no further actions by the user are required. This kind of attack is widely used in spam mails. By clicking on a malicious URL the attack starts without the knowledge of the user and forges the user’s actions. The HTTP requests sent without the user’s knowledge may access, modify or delete sensitive data.
To prevent CSRF injection attacks make sure that an attacker cannot craft an arbitrary request that is run in the security context of any other user and sent from a different website:
The most common mitigation for CSRF attacks is the use of a CSRF-Token. When a form contains a hidden field with a specially crafted value (a CSRF-Token) that the backend checks for when receiving the form data, it can prevent CSRF attacks. Any request that does not originate from the original form will not include the correct value for the CSRF-Token and can be easily discarded. The CSRF-Token must be tied to a single user session and may not be reused in different sessions or even for different users.
To protect forms in Laravel, just include the following code within the <form></form>tags.
With Django, it is similarly easy to protect any form by a CSRF-Token by using the snippet within the <form></form> tags.
var csrftoken = Cookies.get('csrftoken');
Please refer to the Django documentation for more detailed examples.
For using CSRF-Tokens with your preferred framework, please check the appropriate documentation.
For more information about Crashtest Security visit crashtest-security.com