Sending a random token is not enough, it is also necessary to keep track of what token has been sent with what request i.e. with a particular request what token is expected to come.
This is approximate approach that they are using to protect their site -
- they have a collections of valid CSRF tokens.
- with each request they send one of the CSRF tokens from the repository.
- when the request is submitted they check whether the returned token belongs to their collection of token, if yes, then they just allow the request!!
Its very easy to circumvent this approach, just get hold of any of their valid tokens and play it with any valid CSRF request; your CSRF request will go through.
Amazed by their approach, I did some analysis on CSRF token trends for 50 Indian websites which include -
- top 20 eCommerce websites
- top 10 travel domain websites
- top 10 Matrimonial websites
- top 10 Job portal websites
The results came up with interesting statistics. I will be sharing those stats in my upcoming blog post.
Stay tuned!
-Archana
No comments:
Post a Comment