Académique Documents
Professionnel Documents
Culture Documents
No Anti-CSRF tokens were found in an HTML form. Cross Site Request Forgery
(CSRF) is an attack that involves forcing a victim to send an HTTP request to a
target destination, without their knowledge or intent, in order to perform an
action by pretending to be the victim. The root cause is that application
functionality is invoked using predictable and repeatable URLs or form actions.
The nature of the attack is that CSRF exploits the trust a website places in a
user. On the other hand, cross-site scripting (XSS) exploits the user's trust in a
website. Like XSS, CSRF attacks are not necessarily multi-site, but they can be.
Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session
riding, confused deputy, and sea surfing. CSRF attacks are effective in many
situations, including:
when the victim has an active session on the target site.
when the victim is authenticated via HTTP auth on the target site.
when the victim is on the same local network as the target site. CSRF was
first used to take action against a target site using the victim's privileges,
but recent techniques allow access to intelligence by accessing the
response. The risk of information disclosure is significantly increased
when the target site is vulnerable to XSS, because XSS can be used as a
platform for CSRF, allowing the attack to operate within the confines of
the same-origin policy.
CSRF a d'abord été utilisée pour effectuer une action contre un site cible en
utilisant les privilèges de la victime, mais des techniques récentes permettent
d'avoir accès à des renseignements en accédant à la réponse. Le risque de
divulgation d'informations est considérablement augmenté lorsque le site cible
est vulnérable aux XSS, parce que XSS peut être utilisé comme une plateforme
pour CSRF, permettant à l'attaque d'opérer dans les limites de la politique de
même origine.
Solution
Phase: Architecture and Design Use an approved library or framework that does not allow
this vulnerability, or that contains features that make it easier to avoid this vulnerability. For
example, use anti-CSRF libraries such as CSRFGuard from OWASP.
Phase: Implementation Make sure your application is free from cross-site scripting issues,
because most defenses against CSRF can be bypassed using attacker-controlled scripts.
Phase: Architecture and Design Generate a one-time value for each form, place it in the
form, and verify it when the form is received. Make sure this unique value is not predictable
(CWE-330). Note that this can also be bypassed using XSS. Identify particularly dangerous
operations. When the user performs a dangerous operation, send a separate confirmation
request to verify that the user actually wants to perform this operation. Note that this can
also be bypassed using XSS. Use the ESAPI session management library. This library includes a
component for CSRF control. Do not use the GET method for requests that result in a state
change.
Phase: Implementation Check the HTTP Referer header to see if the request is coming from
an expected page. This could, however, restrict the functionality of the application, as users
or proxy servers may have disabled HTTP Referer referral for privacy reasons.
Phase : Architecture et Design
Utilisez une librairie ou un framework approuvé qui ne permet pas cette vulnérabilité, ou qui
contient des fonctionnalités permettant d'éviter plus facilement cette vulnérabilité.
Utilisez par exemple des librairies anti-CSRF telles que CSRFGuard de l'OWASP.
Phase : Implémentation
Assurez-vous que votre application soit exempte de problèmes de cross-site scripting, parce
que la plupart des défenses contre le CSRF peuvent être contournées en utilisant des scripts
contrôlés par le pirate.
N'utilisez pas la méthode GET pour les requêtes entraînant un changement d'état.
Phase: Implémentation
Vérifiez l'en-tête HTTP Referer pour voir si la requête provient d'une page attendue. Ceci
pourrait toutefois restreindre la fonctionnalité de l'application, car les utilisateurs ou les
serveurs proxy pourraient avoir désactivé le renvoi du HTTP Referer pour des raisons de
confidentialité.