A8 – Preventing CSRF
When Web applications don't use a per-session or per-operation token or if the token is not correctly implemented, they may be vulnerable to cross-site request forgery and an attacker may force authenticated users to do unwanted operations.
CSRF is the eighth most critical vulnerability in Web applications nowadays, according to OWASP, and we will see how to prevent it in our applications in this recipe.
How to do it...
- The first and the most practical solution for CSRF is to implement a unique, per-operation token, so every time the user tries and executes an action, a new token is generated and verified server-side.
- The unique token should not be easily guessable by an attacker; so they can't include it in the CSRF page. Random ...
Get Kali Linux Web Penetration Testing Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
