Showing posts from June, 2013

Flawed CSRF token implementation

The sole purpose of (secret) CRSF token is to help the application identify authenticated or unauthenticated requests. Any request that doesn’t contain csrf tokens are treated as unauthenticated one thus rejected by the application as the csrf tokens are only available to the authenticated users.
But contrary to that, in one application, the csrf tokens are generated before login and worse, it’s not regenerated after successful authentication of the user. This defeats the purpose of anti-csrf approach.

Anti-CSRF best practices:

    Don’t issue csrf tokens before authentication
    Always regenerate the tokens after successful authentication, if issued before authentication
    Use POST methods for critical transactions embedding csrf tokens
    Don’t send the csrf tokens in GET requests as they may reveal it in browser logs etc

In few Ruby based apps, where the token was being generated before authentication and same was being used.

Mitigation: (taken from 'Symbolic Security Analysis of …