Mixing
Is CSRF still a relevant attack vector?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
1
down vote
favorite
CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
web-application csrf
edited 1 hour ago
Anders
45.5k21127152
asked 4 hours ago
rdmueller
87311014
add a comment |Â
up vote
1
down vote
favorite
CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
web-application csrf
edited 1 hour ago
Anders
45.5k21127152
asked 4 hours ago
rdmueller
87311014
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
web-application csrf
edited 1 hour ago
Anders
45.5k21127152
asked 4 hours ago
rdmueller
87311014
CSRF was part of older OWASP TOP 10 lists but has been retired "as many frameworks include CSRF defenses, it was found in only 5% of applications".
But even without frameworks doing CSRF defense, I've got the feeling that modern browsers already mitigate the problem. Cookies and headers needed for authentication are not sent by default in cross site requests.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. At least in Chrome.
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
web-application csrf
web-application csrf
edited 1 hour ago
Anders
45.5k21127152
asked 4 hours ago
rdmueller
87311014
edited 1 hour ago
Anders
45.5k21127152
asked 4 hours ago
rdmueller
87311014
edited 1 hour ago
Anders
45.5k21127152
edited 1 hour ago
Anders
45.5k21127152
edited 1 hour ago
Anders
45.5k21127152
45.5k21127152
asked 4 hours ago
rdmueller
87311014
asked 4 hours ago
rdmueller
87311014
asked 4 hours ago
rdmueller
87311014
87311014
add a comment |Â
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
2
down vote
... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.
Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.
Therefore proper CSRF protection is still needed today.
What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.
answered 4 hours ago
Steffen Ullrich
107k12182247
Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like<img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
– rdmueller
3 hours ago
add a comment |Â
up vote
1
down vote
If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.
https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f
CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.
As always; remember to patch your systems kids
answered 4 hours ago
Juliette Moss
111
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
– rdmueller
4 hours ago
add a comment |Â
up vote
1
down vote
Cookies and headers needed for authentication are not sent by default in cross site requests.
That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.
Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.
In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.
answered 1 hour ago
Anders
45.5k21127152
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.
Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.
Therefore proper CSRF protection is still needed today.
What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.
answered 4 hours ago
Steffen Ullrich
107k12182247
Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like<img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
– rdmueller
3 hours ago
add a comment |Â
up vote
2
down vote
... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.
Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.
Therefore proper CSRF protection is still needed today.
What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.
answered 4 hours ago
Steffen Ullrich
107k12182247
Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like<img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
– rdmueller
3 hours ago
add a comment |Â
up vote
2
down vote
up vote
2
down vote
... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.
Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.
Therefore proper CSRF protection is still needed today.
What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.
answered 4 hours ago
Steffen Ullrich
107k12182247
... if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful. ... which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
CORS for XHR is not a new mitigation and it even isn't a mitigation against previously working attacks at all. When XMLHttpRequest was designed no cross-origin requests were possible at all. And only with the introduction of CORS this restrictions was changed and replaced with cross-origin requests controlled by a CORS policy. Thus, all the old browsers which did not implement CORS were not affected by CSRF via XHR in the first place.
Nevertheless, CSRF is still a problem and can still be used the same way as it could in the past. XHR is not needed as a vector for CSRF attacks at all and it did not work in the past anyway. Instead cross-site image includes, cross-site form submits or similar can be used, which still automatically send the necessary credentials and cookies cross-site. The new samesite attribute for cookies can be used to prevent this but it has to be explicitly set by the application and not all browsers support it yet.
Therefore proper CSRF protection is still needed today.
What happens if CSRF protection is not properly implement can be seen for example by recent news like Hackers Launching Massive Cyber Attack Against 800,000 DrayTek Routers by Exploiting zero-day Vulnerability.
answered 4 hours ago
Steffen Ullrich
107k12182247
edited 4 hours ago
answered 4 hours ago
Steffen Ullrich
107k12182247
answered 4 hours ago
Steffen Ullrich
107k12182247
answered 4 hours ago
Steffen Ullrich
107k12182247
107k12182247
Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like<img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
– rdmueller
3 hours ago
add a comment |Â
Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like<img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...
– rdmueller
3 hours ago
Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like
<img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...– rdmueller
3 hours ago
Maybe I've put too much emphasis on the XMLHttpRequest example. AFAIK, also other CSRF requests like
<img>-tags are nowadays not so easy to create, because they don't send cookies anymore or do they still? btw: I can't find a reference to CSRF in the article you linked...– rdmueller
3 hours ago
add a comment |Â
up vote
1
down vote
If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.
https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f
CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.
As always; remember to patch your systems kids
answered 4 hours ago
Juliette Moss
111
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
– rdmueller
4 hours ago
add a comment |Â
up vote
1
down vote
If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.
https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f
CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.
As always; remember to patch your systems kids
answered 4 hours ago
Juliette Moss
111
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
– rdmueller
4 hours ago
add a comment |Â
up vote
1
down vote
up vote
1
down vote
If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.
https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f
CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.
As always; remember to patch your systems kids
answered 4 hours ago
Juliette Moss
111
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If I had to make a comment on the matter then It'd be best reflected by what's written in this piece.
https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f
CSRF is still relevant in a condition similar to IPv4 - We won't be able to phase out legacy systems that are privy to it for a while yet, and eventually a permutation of it will arise.
As always; remember to patch your systems kids
answered 4 hours ago
Juliette Moss
111
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 4 hours ago
Juliette Moss
111
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 4 hours ago
Juliette Moss
111
answered 4 hours ago
Juliette Moss
111
111
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Juliette Moss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
– rdmueller
4 hours ago
add a comment |Â
thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
– rdmueller
4 hours ago
thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
– rdmueller
4 hours ago
thanx. The article is great and your comparison with IPv4 is what I think, too. But it would be nice to have some figures on what percentage of browsers still cause a problem
– rdmueller
4 hours ago
add a comment |Â
up vote
1
down vote
Cookies and headers needed for authentication are not sent by default in cross site requests.
That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.
Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.
In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.
answered 1 hour ago
Anders
45.5k21127152
add a comment |Â
up vote
1
down vote
Cookies and headers needed for authentication are not sent by default in cross site requests.
That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.
Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.
In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.
answered 1 hour ago
Anders
45.5k21127152
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Cookies and headers needed for authentication are not sent by default in cross site requests.
That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.
Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.
In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.
answered 1 hour ago
Anders
45.5k21127152
Cookies and headers needed for authentication are not sent by default in cross site requests.
That is not correct. If a user clicks a link or post a form on evil.com to example.com, cookies will be included. The user doesn't even have to click the link or submit button, it can be automated with a script.
For instance, if an XMLHttpRequest should send cookies, the withcredentials-flag has to be set. And even then, the target server has to implement a CORS header for the request to be successful.
Yeah, sure. But why would an attacker need XHR when you can just use an old fashioned form?
So I now wonder, which browsers already implement those counter measures and if they are enough as defense or if we still have to implement CSRF mitigations in our applications.
Browsers do not implement any automatic counter measures, so you still need to do it. Vulnerable sites will continue to be vulnerable no matter how modern browsers we use.
In one way you are right, though. Modern API:s are often designed in ways that gives them at least some CSRF protection by default. This happens for instance if you do authentication with a authorization header instead of cookies, or if you only accept POST requests with a JSON body.
answered 1 hour ago
Anders
45.5k21127152
answered 1 hour ago
Anders
45.5k21127152
answered 1 hour ago
Anders
45.5k21127152
answered 1 hour ago
Anders
45.5k21127152
45.5k21127152
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194936%2fis-csrf-still-a-relevant-attack-vector%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
