Protecting against CSRF attacks via GET requests?
I built a stateless JWT based authentication system on my web server following the Stormpath example ( https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage ) ...
The setup seems to be quite CSRF-proof, but I'm wondering how about GET requests.
I was able to simulate a CSRF attack on a GET request by including a tag <img>
on a page from a different domain. The server responds to the request with a full page with a status of 200. Although I am not changing the data on the GET requests, the pages may contain some sensitive information, for example, it <img src="https://example.com/account" />
might give out user details, or it <img src="https://example.com/logout" />
might just be annoying, and I think there might be more examples.
Is this attack <img>
considered harmless because the browser will not disclose the response it receives? Are there any other HTML tag abuse tricks that could lead to the disclosure of sensitive information by showing the server output on a GET request?
I am considering additionally including the hash of my JWT access token to the GET url and require server-side GET requests to include this hash and it must match the JWT token from the cookie. This way, an attacker would be unable to guess a valid GET URL, and leaking such a GET URL would prevent an attacker from gaining access to my server because he doesn't know the original JWT from the cookies. Minor usability issues aside, this setup looks like a good idea to me, but I haven't looked for anything like this, so I'm suspicious :)
source to share
The concept of a CSRF attack, forces the verified user to perform unwanted actions in the web application to which it is authorized.
CSRF attacks ensure that state changes are made for stateless servers, no data driving is involved, as the GET request will receive a response from the victim not to the attacker as allowed by the victim. There is no means for an attacker to see the response to a bogus request.
A CSRF attack can lead to a change in the state of the server, but it cannot see the results, it is forced to act blindly.
Let's say a CSRF attack could tell the victim's browser to request the balance on the bank's bank account, but the attacker cannot see this balance. This is obviously a pointless attack.
But it is useless if the attacker asks the victim browser to transfer money from the victim's account to the attacker's account. The success or failure page for transfer is not available to the attacking script. The attacker doesn't care about the response of success or failure, his main problem is that he wants money in his account.
If you are making a GET request to change the state of the server, it can be risky for you.
"GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP / 1.1", if such is your request.
I believe that this will not happen.
So, you should focus on the POST request, which should be monitored using a CSRF token.
The exchange of links for OWASP rules https://www.owasp.org/index.php/Top_10_2010-A5-Cross-Site_Request_Forgery_%28CSRF%29 must go once.
source to share