0

Here is the story:

  1. Just after login, page A is rendered with the anti-CSRF hidden field.
  2. Page A contains a link to page B. Normally this would be an ordinary anchor, but to prevent CSRF, the link submits a form with action to page B, which puts the anti-CSRF hidden field in a POST (thus preventing revealing this value at URL).
  3. Server validates session and renders page B, again with anti-CSRF hidden field.
  4. Page B contains a link to page C, which also uses submit and is also validated by the server.
  5. At page C, user presses the back button to go back to B.

Because B is the result of a submit, browser asks for re-submission. Terrible!

I know that I shouldn't return body from POST, however how can I safely send the anti-CSRF field without using POST to go from a page to another? And if I use a nonces, the back-button will yield a valid page...

Does it have a solution? Or am I really required to change my entire site to use partial page updates?

fernacolo
  • 7,012
  • 5
  • 40
  • 61
  • 1
    If "Normally this would be an ordinary anchor", why are you worried about CSRF? Normal anchors are used for when you aren't changing anything on the server. CSRF protection is to stop things being changed on the server by third parties tricking user's into submitting particular requests. – Quentin Jul 22 '13 at 06:45
  • @Quentin Alice logs in and clicks on an normal anchor to page B, which is obtained by a GET on my server. Page B contains a link to perform a dangerous operation, so server renders page B with anti-CSRF token. Alice then goes to Bob's page. Bob's page requests page B via GET, and the server, believing it's from Alice, renders page B with valid anti-CSRF token. Bob's page inspect page B body to find the anti-CSRF token, and now it can perform dangerous operation on behalf of Alice. – fernacolo Jul 22 '13 at 07:01
  • How does Bob's page request page B? Via JavaScript? It can't because of the same origin policy. Directly? Then it will come from Bob's server and not Alice's browser, so it won't have Alice's cookies and the CSRF token won't match when Bob's server tells Alice's browser to request whereever the dangerous link points to. – Quentin Jul 22 '13 at 08:36
  • Yes, and Bob's page also cannot use IFRAME to read page B, also due to same origin policy. Thanks! – fernacolo Jul 22 '13 at 17:13

0 Answers0