Skip to main content

Posts

Showing posts from April, 2016

Are tokens enough to prevent CSRF?

Image: Pixabay CSRF attacks exploit the trust that a website has in a client like a web browser.  These attacks rely on the website trusting that a request from a client is actually the intention of the person using that client. An attacker will try to trick the web browser into issuing a request to the server.  The server will assume that the request is valid because it trusts the client. At its most simple a CSRF attack could involve making a malicious form on a webpage that causes the client to send a POST request to a url. As an example, imagine that a user called Alice is logged into Facebook in one tab and is browsing the internet on another tab.  A filthy pirate Bob creates a malicious form in a webpage that submits a POST request to Facebook that sends a person to a link of Rick Astley dancing.  Alice arrives on the page we made and Javascript submits the form to Facebook.  Facebook trusts Alice's web browser and there is a valid session for her so it processes th