Cross Site Request Forgery Prevention

CSRF(cross-site request forgery) is the attack in which unwanted operations are performed on the currently authenticated user’s states like changing the password or transferring the fund, enabling/disabling any service.

In the worst scenario, it can be performed on the administrative account, in that case, it will compromise the security of the entire application.

For example, there is an endpoint to change the contact number

GET http://mysite.com/change-number?new=12345

One of the ways to carry out the CSRF is that intruder can exploit the URL which is most likely to be clicked by the user.

<a href='http://mysite.com/change-number?new=54321'">Check your daily horoscope</a>

Here are the few ways to prevent the CSRF attack:

1.) Prevent performing the actions that change the user state like password reset, change primary email in the GET request.

2.) Agree on a random encoded value and pass that value as a hidden parameter in each  POST and  PUT request and check for that value for every request.

3.) For the requests that don’t use form encoding, the random value can be given in the headers

4.) Enable user interaction,  in the critical transactions, involve the user to verify his/her authenticity by OTP, CAPTCHA or ask for the account password.

5.) Prevent sending the cookie along with cross-site requests by setting the SameSite attribute to strict

Set-Cookie: sessionid='<your id>'; SameSite=Strict

Some of the precautionary steps that can be taken by the user to prevent CSRF attacks are:

1.) Perform the sensitive work such as banking in the `private/incognito` mode of the browser.

2.) Don’t allow the sites to remember your `username/password`

3.) Use the plugins provided by the browsers such as No-script, Quick Javascript Switcher, Toggle Javascript etc.

4.) Logout from the applications after the work is done.

That’s it. Hope you find it useful.

About CauseCode: We are a technology company specializing in Healthtech related Web and Mobile application development. We collaborate with passionate companies looking to change health and wellness tech for good. If you are a startup, enterprise or generally interested in digital health, we would love to hear from you! Let's connect at bootstrap@causecode.com

Leave a Reply

Your email address will not be published. Required fields are marked *

STAY UPDATED!

Do you want to get articles like these in your inbox?

Email *

Interested groups *
Healthtech
Business
Technical articles

Archives