CSRF - Cross Site Request Forgery

Target User with an account on a vulnerable server

Attack To make request(s) to the vulnerable server through the user’s browser that the server duly performs because it cannot distinguish
goal them from “legitimate” requests

Attacker Attacker’s ability to get the user to click a link crafted by the attacker that makes the request to the vulnerable server
tools

<image src=http://bank.com/transfer.cgi?ammount=9999&to=attacker_account>
 

Synchronizer Tokens
Other helpful defense

No XSS
Use proper HTTP verbs
Secretized Links

Verify Same Origin with standard headers

CSRF-Protection for Java

Rule code Name

OPT.JAVA.SEC_JAVA.CrossSiteRequestForgeryRule Cross-Site Request Forgery (CSRF)

OPT.JAVA.SEC_JAVA.PlaySecurityMisconfiguration Security misconfiguration in Play framework.

OPT.JAVA.SEC_JAVA.InsecureRandomnessRule Standard pseudo-random number generators cannot withstand cryptographic

attacks

OPT.JAVA.SEC_JAVA.UnsafeCookieRule Generate server-side cookies with adequate security properties

OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule Avoid misconfiguration of security properties in web.xml descriptor

OPT.JAVA.SEC_JAVA.CrossSiteRequestForgeryRule
Configuration

checkStateChange

checkers
CSRF References
Protection

Spring https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

http://www.codejava.net/frameworks/spring/spring-web-mvc-security-basic-example-part-1-with-xml-configuration

http://www.codejava.net/frameworks/spring/spring-web-mvc-security-basic-example-part-2-with-java-based-configuration

OWASP https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
CSRFGuard
3

Tomcat https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter
CSRF
Prevention https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/CsrfPreventionFilter.html
Filter https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter
https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/e5be9994bb571014b575a785961062db.html

OWASP https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
ESAPI
http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/

https://www.owasp.org/index.php/ESAPI_Secure_Coding_Guideline

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
https://www.owasp.org/index.php/ESAPI_Secure_Coding_Guideline
https://static.javadoc.io/org.owasp.esapi/esapi/2.1.0/org/owasp/esapi/HTTPUtilities.html#addCSRFToken(java.lang.String)

Struts 1 https://stackoverflow.com/questions/4303635/cross-site-request-forgery-prevention-using-struts-token

Struts 2 https://stackoverflow.com/questions/22802225/how-to-implement-csr-forgery-prevention-code-on-struts2

Hdiv https://hdivsecurity.com/docs/csrf/

https://github.com/hdiv/hdiv
Spring Security

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

Spring Security 4.x

 <http>
<!-- ... -->
<csrf disabled="true"/>
</http>

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception { http
.csrf().disable();
}
}

Spring Security 3.x (or older)

<http>
<!-- ... -->
<csrf/>
</http>
OWASP CSRFGuard
 <filter>
<!-- ... -->
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<!-- ... -->
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Tomcat CSRF Prevention Filter

OWASP Enterprise Security API (ESAPI)

AU009 Link and form URLs for all transactions shall be updated with the HTTPUtilities.addCSRFToken() method to add a CSRF token.

AU010 All HTTP requests for transactions shall be verified using the HTTPUtilities.verifyCSRFToken() method to check that the request is not
forged.

Struts 1
Struts 2
 <interceptors>
<interceptor-stack name="defaultSecurityStack">
<interceptor-ref name="defaultStack"/>
<interceptor-ref name="tokenSession">
<param name="excludeMethods">*</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>

<default-interceptor-ref name="defaultSecurityStack"/>

HDIV
 <listener>
<listener-class>org.hdiv.listener.InitListener</listener-class>
</listener>

<!-- Hdiv Validator Filter -->

<filter>
<filter-name>ValidatorFilter</filter-name>
<filter-class>org.hdiv.filter.ValidatorFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ValidatorFilter</filter-name>
<!-- Spring MVC Servlet name-->
<servlet-name>SampleMvc</servlet-name>
</filter-mapping>

JavaServer Faces (JSF) 2

OPT.JAVA.SEC_JAVA.PlaySecurityMisConfiguration
OPT.JAVA.SEC_JAVA.InsecureRandomnessRule

OPT.JAVA.SEC_JAVA.UnsafeCookieRule


OPT.JAVA.SEC_JAVA.WebXmlSecurityMisconfigurationsRule


CSRF-Protection for JavaScript

Rule code Name

OPT.JAVASCRIPT.CrossSiteRequestForgery Execution of an action on user behalf in a previously authenticated web site (cross-site request
forgery, CSRF)

OPT.JAVASCRIPT.UnsafeCookie Generate server-side cookies with adequate security properties

OPT.JAVASCRIPT.CrossSiteRequestForgery
 

JS Server Framework Protection Reference

Node.js Express csurf https://github.com/expressjs/csurf

alt-xsrf https://www.npmjs.com/package/alt-xsrf

Koa koa-csrf https://github.com/koajs/csrf

stateless-csrf https://github.com/koajs/stateless-csrf

koa-atomic-session https://github.com/koajs/atomic-session

SAP Hana XS prevent_xsrf http://hanaperspective.blogspot.com.es/2017/02/sap-hana-xs-application-access-file.html

OPT.JAVASCRIPT.UnsafeCookie
CSRF-Protection for JSP

OPT.JSP.SEC_JSP.FileInclusionVulnerability
CSRF-Protection for Csharp

Rule code Name

OPT.CSHARP.CrossSiteRequestForgery Cross-Site Request Forgery (CSRF)

OPT.CSHARP.CrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OPT.CSHARP.StoredCrossSiteScripting Web content generation from improper sanitized database data and escaped output
(Stored Cross-site Scripting, XSS)

OPT.CSHARP.MVCPostInControllers Restrict allowed HTTP verbs for state-change operations in MVC controllers

OPT.CSHARP.SEC.CrossSiteHistoryManipulation Cross-Site History Manipulation (XSHM)

OPT.CSHARP.SEC.UnsafeCookieRule Generate server-side cookies with adequate security properties

OPT.CSHARP.TooMuchOriginsAllowed Too much allowed origins in HTML5 Access-Control-Allow-Origin header

OPT.CSHARP.CrossSiteRequestForgery
 1. If a code fragment (an MVC / Web API controller or state-changing method, or a Web Forms page) should be protected against
CSRF attacks.
2. If such code is protected with one of the recommended anti-CSRF protection schemes:
a. For a WebForms page, checks whether ViewStateUserKey is set (without disabling EnableViewStateMac). Parent pages
and master pages are taken into account.
b. For a MVC controller action method, checks for [ValidateAntiForgeryToken] attribute (or a call to AntiForgery.Validate()).
c. Alternatives, like common Captcha controls like Google's Recaptcha, are checked for.
3. If no protection is found for the candidate code, a CSRF vulnerability is reported.

Implementation in Web Forms

Implementation in ASP .NET MVC and Web API

Additional Kiuwan rules and notes on CSRF in Csharp
Rule code Name

OPT.CSHARP.CrossSiteRequestForgery Cross-Site Request Forgery (CSRF)

OPT.CSHARP.CrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OPT.CSHARP.StoredCrossSiteScripting Web content generation from improper sanitized database data and escaped output
(Stored Cross-site Scripting, XSS)

OPT.CSHARP.MVCPostInControllers Restrict allowed HTTP verbs for state-change operations in MVC controllers

OPT.CSHARP.SEC.CrossSiteHistoryManipulation Cross-Site History Manipulation (XSHM)

OPT.CSHARP.SEC.UnsafeCookieRule Generate server-side cookies with adequate security properties

OPT.CSHARP.TooMuchOriginsAllowed Too much allowed origins in HTML5 Access-Control-Allow-Origin header

CSRF-Protection for PHP

Rule code Name

OPT.PHP.CrossSiteRequestForgery Cross-Site Request Forgery (CSRF)

OPT.PHP.AvoidUseDefaultSecret Avoid using secret value default symfony: ThisTokenIsNotSoSecretChangeIt

OPT.PHP.CrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OPT.PHP.StoredCrossSiteScripting Improper neutralization of stored data during web content generation (Cross-site Scripting,
XSS)

OPT.PHP.SEC.CrossSiteHistoryManipulation Cross-Site History Manipulation (XSHM)

OPT.PHP.CrossSiteRequestForgery
 1. If a code fragment should be protected against CSRF attacks (that is, performs state-change operations, like database changes or
file writes).
2. If such code is protected with one of the recommended anti-CSRF protection schemes.
3. If no protection is found for the candidate code, a violation is reported.

PHP Library Protection Reference

OWASP PHP CSRF Guard https://www.owasp.org/index.php/PHP_CSRF_Guard

CSRF Magic csrf-magic.php https://github.com/ezyang/csrf-magic

CSRF Protector csrfprotector.php https://github.com/mebjas/CSRF-Protector-PHP/wiki

CSRF4PHP CsrfToken https://github.com/foxbunny/CSRF4PHP/

NoCSRF https://github.com/BKcore/NoCSRF

Csrf (skookum) https://github.com/Skookum/csrf/blob/master/classes/csrf.php

Anticsurf https://code.google.com/archive/p/anticsurf

CSRF Protection (XCMer) https://github.com/XCMer/csrfprotect

Paragonie Anti-CSRF https://github.com/paragonie/anti-csrf

EasyCSRF https://github.com/gilbitron/EasyCSRF

PHP RFC https://wiki.php.net/rfc/automatic_csrf_protection

Additional Kiuwan rules and notes on CSRF in PHP

Rule code Name

OPT.PHP.AvoidUseDefaultSecret Avoid using secret value default symfony: ThisTokenIsNotSoSecretChangeIt

OPT.PHP.CrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OPT.PHP.StoredCrossSiteScripting Improper neutralization of stored data during web content generation (Cross-site Scripting,
XSS)

OPT.PHP.SEC.CrossSiteHistoryManipulation Cross-Site History Manipulation (XSHM)

CSRF-Protection for PHP

Rule code Name

OPT.PYTHON.SECURITY.CrossSiteRequestForgery Cross-Site Request Forgery (CSRF)

OPT.PYTHON.SECURITY.CrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OPT.PYTHON.SECURITY.StoredCrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OPT.PYTHON.SECURITY.UnsafeCookie Generate server-side cookies with adequate security properties

OPT.Python.Security.CrossSiteRequestForgery
 1. If Django is used
a. The middleware django.middleware.csrf.CsrfViewMiddleware (which is enabled by default) must be kept enabled.
b. Controllers shouldn't be decorated with @csrf_exempt, as it disabled the csrf
2. If no protection is found (not using Django CSRF-protection or it’s disabled), a CSRF vulnerability is reported.

Additional Kiuwan rules and notes on CSRF in Python

OPT.PYTHON.SECURITY.CrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OPT.PYTHON.SECURITY.StoredCrossSiteScripting Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OPT.PYTHON.SECURITY.UnsafeCookie Generate server-side cookies with adequate security properties