CSRF vulnerabilities and solutions

Modified on Thu, 14 Mar at 12:03 PM

CSRF vulnerability:

 

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the origin policy, which is designed to prevent different websites from interfering with each other. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer, etc. Depending on the nature of the action, the attacker might be able to take full control of all the application's data and functionality.

 

Solution:

 

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests.

To prevent this in Smarten, we have to set Security Request Matcher in the application configuration file.

In Security-config.xml file (/smarten/WEB-INF/security-config.xml), the below given code- line has to be uncommented / added.

 

<csrfrequest-matcher-ref="csrfSecurityRequestMatcher"/>

 

Once this is set, for every request in Smarten, one CSRF token will be appended and strictly validated at the server. This means, all the http requests will be intercepted and if the token is not matched, then such requests will be considered as forbidden requests and won’t be processed further (As shown below).

 

 

CSRF SECURITY MESSAGE

 

 


Please refer to Application Security Implementation Manual to learn more.


Note: This article is based on Smarten Version 5.x. This may or may not be relevant to the Smarten version you may be using.

Security Vulnerability CSRF Cross site

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article