O'Reilly logo

Seven Deadliest Web Application Attacks by Mike Shema

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Shared Secrets

The most effective CSRF countermeasure assigns a temporary pseudo-random token to the sensitive forms or links that may be submitted by an authenticated user. The value of the token is known only to the Web application and the user's Web browser. When the Web application receives a request, it first verifies that the token's value is correct. If the value doesn't match the one expected for the user's current session, then the request is rejected. An attacker must include a valid token when forging a request.

<form>

<input type=hidden name="csrf" value="57ba40e58ea68b228b7b4eaf3bca9d43">

</form>

Secret tokens need to be ephemeral and unpredictable to be effective. The token should be refreshed for each sensitive state transition; ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required