Hasty Treat - CSRF Explained

Jun 21, 2021

This discussion dives into the intriguing world of Cross-Site Request Forgery (CSRF) and its serious implications. Learn how attackers exploit authenticated sessions and discover effective defenses, including the vital role of SameSite cookies. The episode breaks down cookie settings and emphasizes the importance of CSRF tokens for web security. There are also practical tips for navigating challenges and creating secure web applications. Plus, enjoy a light-hearted take on common tech misunderstandings!

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

CSRF Explained

CSRF attacks exploit websites' trust in logged-in users' cookies.
Attackers forge requests from other sites, making it seem like the user initiated the action.

ADVICE

SameSite Cookie Solution

Use the SameSite cookie attribute to restrict cookie sending.
Set it to Strict to prevent sending cookies with cross-site requests.

ADVICE

CSRF Token Solution

Implement CSRF tokens in forms to verify requests' origins.
The server generates a token, includes it in the form, and validates it upon submission.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this Hasty Treat, Scott and Wes talk about CSRF (Cross Site Request Forgery)!

Prismic - Sponsor

Prismic is a Headless CMS that makes it easy to build website pages as a set of components. Break pages into sections of components using React, Vue, or whatever you like. Make corresponding Slices in Prismic. Start building pages dynamically in minutes. Get started at prismic.io/syntax.

Sentry - Sponsor

If you want to know what’s happening with your code, track errors and monitor performance with Sentry. Sentry’s Application Monitoring platform helps developers see performance issues, fix errors faster, and optimize their code health. Cut your time on error resolution from hours to minutes. It works with any language and integrates with dozens of other services. Syntax listeners new to Sentry can get two months for free by visiting Sentry.io and using the coupon code TASTYTREAT during sign up.

Show Notes

05:40 - What is it?

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute
Someone can submit a form FROM or TO your domain, automatically.

07:50 - Solutions

SameSite Cookie
https://medium.com/swlh/secure-httponly-samesite-http-cookies-attributes-and-set-cookie-explained-fc3c753dfeb6
- Lax — Default value in modern browsers. Cookies are allowed to be sent with top-level navigations and will be sent along with GET requests initiated by a third party website. The cookie is withheld on cross-site subrequests, such as calls to load images or frames, but is sent when a user navigates to the URL from an external site, such as by following a link.
- Strict — As the name suggests, this is the option in which the Same-Site rule is applied strictly. Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites. The browser sends the cookie only for same-site requests (that is, requests originating from the same site that set the cookie). If the request originated from a different URL than the current one, no cookies with the SameSite=Strict attribute are sent.
- None — Cookies will be sent in all contexts, i.e sending cross-origin is allowed. The browser sends the cookie with both cross-site and same-site requests.
CSRF Token
Check Origin / Referrer Headers
Captcha
Ask for Password
Token

Tweet us your tasty treats!

Scott’s Instagram
LevelUpTutorials Instagram
Wes’ Instagram
Wes’ Twitter
Wes’ Facebook
Scott’s Twitter
Make sure to include @SyntaxFM in your tweets