Request Vulnerabilities
One of the main security vulnerabilities facing any web application is the Cross-Site Request Forgery, usually abbreviated CSRF or XSRF, and pronounced “sea surf.” This exploit takes advantage of a security hole in the browser that permits a malicious attacker to inject code in a victim site that makes unauthorized requests on behalf of a logged-in user. Let’s look at an example.
Anatomy of a Cross-Site Request Forgery
Let’s say Alice is a regular customer of Burt’s Books. When she’s logged into her account on the online store, the website identifies her with a browser cookie. Now suppose an unscrupulous author, Melvin, wants to increase sales of his book. On a web forum that Alice frequents, he has posted an entry with an HTML image tag whose source is a URL that initiates a purchase in the online store. For example:
<img src="http://store.burts-books.com/purchase?title=Melvins+Web+Sploitz" />
Alice’s browser will attempt to fetch the image source and include the legitimate cookies in the request, unaware that instead of a picture of a kitten, the URL initiated a purchase at the online store.
Defending Against Request Forgeries
There are a number of precautions to take in order to prevent this sort of attack. The first requires some forethought on your part when developing your application. Any HTTP requests that cause side effects, like clicking a button to make a purchase, edit account settings, change a password, or delete a document, should use the HTTP
Get Introduction to Tornado now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
