Books for you

asp">



86 Hacking Exposed Web 2.0
CSRF Protections
The best protection against the CSRF attacks shown in this chapter, which help mitigate
cross-domain attacks, is the use a cryptographic token for every GET/POST request
allowed to modify server-side data (as noted in a whitepaper written by Jesse Burns of
iSEC Partners1). The token will give the application an unpredictable and unique parameter
that is per-user/per-session specific, making the application??™s controls structure
different across users. This behavior makes control structure unpredictable for an
attacker, reducing the exposure of CSRF. See the whitepaper for more information.
SUMMARY
Since the invention of the World Wide Web, web pages have been allowed to interact
with web servers belonging to completely different domains. This is a fundamental of
the Web, and without links among domains the Internet would be a much less useful
tool. However, the fact that users and autonomous script are both able to create HTTP
requests that look identical creates a class of vulnerabilities to which most web applications
are vulnerable by default. These vulnerabilities have existed for decades but are
only now being explored by legitimate and malicious security researchers, and they have
only become more interesting with the invention of AJAX web applications.


Pages:
162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186