Is Access-Control-Allow-Origin enough to prevent XSRF attacks?
We are creating a Java Spring / Hibernate enabled application running in JBoss. The interface is AngularJS.
We have not done anything yet to install XSRF tokens on the server. We also do not (yet) have no requirement to grant other domains access to our web resources.
I figured I'd try to figure out if our site was vulnerable to an XSRF attack, so I configured a malicious Webapp to post to one of our real app URLs using Angular $ http.post (). I entered a real application and then tried to send a message from a malicious application.
In the browser I got a 401 response and saw the error:
XMLHttpRequest cannot load http://localhost:8080/user/delete. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:6543' is therefore not allowed access. The response
had HTTP status code 401.
Server side is not configured to configure Access-Control-Allow-Origin on response, thus the above error.
So my question is, is it easy to exclude Access-Control-Allow-Origin from the response header enough to prevent XSRF attacks?
Is there a way that I could continue the XSRF attack on my site even if Access-Control-Allow-Origin is not installed? If so, how? I would like to demonstrate this attack.
Thank.
source to share
No, this is not enough. Even though the browser gives an error 'Access-Control-Allow-Origin'
, the request is still being made by the browser. If the attacking page states withCredentials
:
$http.post(url, {withCredentials: true, ...})
then this request will be sent to your domain using the victim authentication cookie, which means that the request http://www.example.com:8080/user/delete
will not succeed.
Alternatively, this request could be made without XHR using a standard HTML form:
<form method="post" action="http://www.example.com:8080/user/delete">
and JavaScript will just be used to submit the form, not the request itself.
An easy way to protect your system from CSRF is to check a custom header like X-Requested-With
or Origin
. X-Requested-With
it is impossible to transfer a cross domain without enabling CORS backend. However, the Synchronizer Token Pattern is still the strongest CSRF prevention method as it is not prone to bugs in browser plugins such as the previous flaw in Flash that allowed headers to be sent that would not normally be available from the browser.
source to share