Posts

Showing posts from September, 2014

Preventing Cross-Site Request Forgery (CSRF) Attacks

Image
A Cross Site Request Forgery (CSRF) Attack is a type of web application vulnerability where the victim unintentionally runs a script in their browser that takes advantage of their logged in session to a particular site. CSRF attacks can be performed over GET or POST requests. This article will show you how to help prevent CSRF attacks on your web application. Method We will use two methods to help prevent CSRF attacks on your GET and POST requests.
The first it to include a random token with each request, this is a unique string that is generated for each session. We generate the token and then include it in every form as a hidden input. The system then checks if the form is valid by comparing the token with the one stored in the users session variable. This means that in order or an attacker to generate a request, the attacker would have to know the token value.
The second method is to use random name for each form field. The value of the random name for each field is stored in a ses…

WEBSITE SECURITY (BUSINESS LOGIC VULNERABILITIES)

Abuse of Functionality An attack that uses a website's own features and functionality to consume, defraud, or circumvent access control mechanisms. Some functions including security features may be abused to cause unexpected behavior, annoy other users, or perhaps defraud the system entirely. Abuse of Functionality techniques are often intertwined with other categories of Web application attacks, such as performing an encoding attack to introduce a query string that turns a web search function into a remote web proxy. Abuse of Functionality attacks are also commonly used as a force multiplier. For example, an attacker can inject a Cross-Site Scripting snippet into a web-chat session, then use the built-in broadcast function to propagate the malicious code site-wide. Brute Force An automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key. Many systems will allow the use of weak passwords or small cryptographic ke…