CSRF

CSRF in JavaScript

Vulnerability: Cross-Site Request Forgery (CSRF)

Vulnerable Code:

javascriptCopy code// No CSRF token validation
fetch('/update-profile', {
    method: 'POST',
    body: JSON.stringify({ email: 'newemail@example.com' })
});

Reason for vulnerability: The code performs a sensitive action without validating a CSRF token, making it susceptible to CSRF attacks.

Fixed Code:

javascriptCopy code// Fetch CSRF token from meta tag
const token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');

fetch('/update-profile', {
    method: 'POST',
    headers: {
        'CSRF-Token': token,
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({ email: 'newemail@example.com' })
});

Reason for fix: Including a CSRF token in the request header ensures that the request is legitimate and not forged by an attacker.

Vulnerable Code

@Controller
public class TransferController {
    @PostMapping("/transfer")
    public String transferMoney(@RequestParam String to, @RequestParam BigDecimal amount) {
        // Perform money transfer
        return "redirect:/success";
    }
}

Reason for Vulnerability:

This endpoint doesn't implement any CSRF protection, allowing attackers to trick users into making unintended transfers.

Fixed Code:

javaCopy@Controller
public class TransferController {
    @PostMapping("/transfer")
    public String transferMoney(@RequestParam String to, @RequestParam BigDecimal amount, 
                                @RequestParam String _csrf, HttpSession session) {
        if (!_csrf.equals(session.getAttribute("csrfToken"))) {
            return "redirect:/error";
        }
        // Perform money transfer
        return "redirect:/success";
    }

    @ModelAttribute
    public void addCsrfToken(HttpSession session, Model model) {
        String csrfToken = UUID.randomUUID().toString();
        session.setAttribute("csrfToken", csrfToken);
        model.addAttribute("csrfToken", csrfToken);
    }
}

Reason for Fix:

The fixed code implements a custom CSRF token validation. A more robust solution would be to use Spring Security's built-in CSRF protection.

Vulnerable Code:

from flask import Flask, request, session

app = Flask(__name__)

@app.route('/change_email', methods=['POST'])
def change_email():
    new_email = request.form['email']
    user_id = session['user_id']
    update_email(user_id, new_email)
    return "Email updated successfully"

Reason for Vulnerability:

This Flask route doesn't implement any CSRF protection, allowing attackers to trick users into changing their email without their knowledge.

Fixed Code:

pythonCopyfrom flask import Flask, request, session
from flask_wtf.csrf import CSRFProtect

app = Flask(__name__)
csrf = CSRFProtect(app)

@app.route('/change_email', methods=['POST'])
@csrf.exempt
def change_email():
    if request.form['csrf_token'] != session['csrf_token']:
        return "CSRF token mismatch", 403
    new_email = request.form['email']
    user_id = session['user_id']
    update_email(user_id, new_email)
    return "Email updated successfully"

@app.before_request
def csrf_protect():
    if request.method == "POST":
        token = session.pop('csrf_token', None)
        if not token or token != request.form.get('csrf_token'):
            abort(403)

Reason for Fix:

The fixed code implements CSRF protection using Flask-WTF's CSRFProtect and custom token validation.

JavaScript Example

Vulnerable Code:

javascriptCopy// Client-side code
fetch('/api/update-profile', {
    method: 'POST',
    body: JSON.stringify({ name: 'New Name' }),
    headers: {
        'Content-Type': 'application/json'
    }
});

// Server-side code (Express.js)
app.post('/api/update-profile', (req, res) => {
    // Update user profile
    res.send('Profile updated');
});

Reason for Vulnerability:

The API endpoint doesn't implement any CSRF protection, making it vulnerable to cross-site requests.

Fixed Code:

javascriptCopy// Client-side code
fetch('/api/update-profile', {
    method: 'POST',
    body: JSON.stringify({ name: 'New Name' }),
    headers: {
        'Content-Type': 'application/json',
        'X-CSRF-Token': document.querySelector('meta[name="csrf-token"]').getAttribute('content')
    },
    credentials: 'include'
});

// Server-side code (Express.js)
const csrf = require('csurf');
const csrfProtection = csrf({ cookie: true });

app.use(csrfProtection);

app.get('/form', (req, res) => {
    res.render('form', { csrfToken: req.csrfToken() });
});

app.post('/api/update-profile', csrfProtection, (req, res) => {
    // Update user profile
    res.send('Profile updated');
});

Reason for Fix:

The fixed code implements CSRF protection using the csurf middleware for Express.js and includes the CSRF token in API requests.

PreviousSSTI NextInsecure Deserialization

Last updated 6 months ago