Friday, 15 September 2017

What is a CSRF token? how does it work?

Cross-Site Request Forgery (CSRF)


CSRF token is for transferring data on 1 web to other securely. 

  • Assume you are currently logged into your online banking at www.personolbank.com
  • Assume a money transfer from personolbank.com will result in a request of (conceptually) the form http://www.personolbank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.)
  • You visit www.paymentdesk.org, not knowing that it is a malicious site.
  • If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into personolbank.com (requires some luck!), they could include on their page a request like http://www.personolbank.com/transfer?to=123456;amount=20000 (where 123456 is the number of their Cayman Islands account and 10000 is an amount that you previously thought you were glad to possess).
  • You retrieved that www.paymentdesk.org page, so your browser will make that request.
  • Your bank cannot recognize this origin of the request: Your web browser will send the request along with your www.personolbank.com cookie and it will look perfectly legitimate. There goes your money!
This is without CSRF tokens.
Now for the better one with CSRF tokens:
  • The transfer request is extended with a third argument: http://www.personolbank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971.
  • That token is a huge, impossible-to-guess random number that mybank.com will include on their own web page when they serve it to you. It is different each time they serve any page to anybody.
  • The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly...), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by www.personolbank.com.

In order to prevent that, django will send a random key both in cookie, and form data. Then, when users POSTs, it will check if two keys are identical. In case where user is tricked, 3rd party website cannot get your site's cookies, thus causing auth error
Posted by
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)