DEV Community

Cover image for Defense Against the Dark Arts: CSRF Attacks

Defense Against the Dark Arts: CSRF Attacks

Richard Feldman on April 17, 2017

After an unspecified "werewolf incident" we have become the new maintainer of the hogwarts.edu web app. Our first day on the job begins with Profe...
Collapse
 
andrepiske profile image
André Diego Piske

It's now 2019 and yet IMO this is the best article on CSRF out there 😁
I have this in my favorites and I check it every now and then.

Collapse
 
franzp profile image
Francois Poizat

I have been to hogwarts.edu/. Apparently the maintainer has already been severely hacked since the hackers suceeded in taking control of the domain name and unregistering it. So I'm not sure if I should listen to the maintainer because his own security seems lacking.

Collapse
 
nv1t profile image
nuit

as far as my knowledge goes: there was a bug to add custom headers without a pre-flight in flash in 2013/2014.
bugs.chromium.org/p/chromium/issue...
bugs.chromium.org/p/chromium/issue...

it could happen again with any other plugin. Therefore implementing tokens is not only second-line, but should be first-line of defense :)

Collapse
 
rtfeldman profile image
Richard Feldman

It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)

Collapse
 
nv1t profile image
nuit

If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.

BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.

So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.

But i like your writing, and that you supply all the information :)

Collapse
 
ycmjason profile image
YCM Jason

Wow! How vivid this is! An I the only one who attempt to go to hogwarts.edu? This post is so fun to read!

Collapse
 
drx_sicher profile image
Drx

Very nice topic. And I love your pictures...very cool ;)

Collapse
 
legolord208 profile image
jD91mZM2

My old websites have totally been a subject of these attacks o_O

Collapse
 
georgeoffley profile image
George Offley

This was great, thanks for writing. Reminds of the Hogwarts IT guy tumblr.

Collapse
 
rapasoft profile image
Pavol Rajzak

Very well written Richard! Even though I'm not familiar with HP terminology :).

Collapse
 
onekiloparsec profile image
Cédric Foellmi

Great story-telling on this technical (and often overlooked) problem! Thanks.

Collapse
 
zeerorg profile image
Rishabh Gupta

A great post on csrf. 👏👏

Collapse
 
defman profile image
Sergey Kislyakov

Reading it was VERY interesting. Thanks for sharing this article with us, Richard!

Collapse
 
kephas profile image
Nowhere Man

Or you could use unguessable URIs (aka capabilities) and the whole process isn't necessary…