![]() ![]() ![]() You should not use local timestamps as tokens without server-side encryption.Ĥ. Tokens should expire after a short period of time, so they cannot be reused.ģ. could be generated with a trustworthy and properly configured random generator.Ģ. Token value should not be predictable, e.g. You should follow these guidelines when generating and then accepting a form submission token:ġ. The attacker building a phishing page cloning your form won’t be able to come up with a valid token and mimic a valid submission with malicious data. So that only form submissions containing a valid token value will be accepted by your application. This problem can be resolved by adding a temporarily valid token to any form submission in your application, e.g. by clicking a link in a phishing email, and the pre-populated form content will be submitted to your application like it would be submitted by your user. One of your application users who is already logged in can be then tricked to navigate to such malicious page e.g. When the page is accessed the form will be immediately submitted and page contents replaced with a valid content or a redirect to your original application. The webpage will contain a form with the exact set of fields as the original application but with input values already provided and the submit button replaced with a Javascript code causing auto-submission. The attacker may copy one of your web application forms, e.g. steal their account by changing their email and password or silently adding a new admin user account when executed from the administrator account. ![]() The absence of Anti-CSRF tokens may lead to a Cross-Site Request Forgery attack that can result in executing a specific application action as another logged in user, e.g. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |