21

What response should I send back when a Cross-Site Request Forgery (CSRF) is detected?

There is a scanning tool which I cannot get a hold of that is saying one of my pages is not protected against CSRF. But it is. The response I send back is a normal 202 with the sentence "REQUEST CANNOT BE PROCESSED". That's it, nothing informative is sent back to the attacker, and I log the attempt. But this software says it is still susceptible to CSRF. I could easily run tests myself and figure it out but it's a long time in between scans and tests and I can't get the same software, that's why I'm asking stackoverflow, so I can hopefully knock it out on the next scheduled scan. I'm thinking of sending back a statusCode of 404 or 410 instead of a 202. http://www.cfgears.com/index.cfm/2009/8/11/cfheader-404-status-codes-and-why-you-shouldnt-use-them

What do you recommend sending back when a CSRF is detected?

gfrobenius
  • 3,987
  • 8
  • 34
  • 66
  • 1
    Apparently, you can't mark a question as a duplicate when the other question isn't on the same StackExchance site. Take a look here: http://security.stackexchange.com/questions/8446/how-should-a-web-page-respond-to-a-csrf-attack – Adrian J. Moreno May 05 '14 at 18:11
  • @iKnowKungFoo I think `makerofthings7` is right on the money there with [their answer](http://security.stackexchange.com/a/8679/8340). – SilverlightFox May 07 '14 at 10:30

2 Answers2

28

403 Forbidden as the user is technically authorized to access the site, it is just the specific action that is forbidden (HTTP POST without correct CSRF token).

A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource to indicate that the server can be reached and understood the request, but refuses to take any further action. Status code 403 responses are the result of the web server being configured to deny access, for some reason, to the requested resource by the client.

Bear in mind that the attacker will not be able to read this response, and for the most part the user will not see the message or HTTP response because a CSRF attack is not designed to be obvious to the victim that it is happening. If you have an effective CSRF mechanism, your site is not likely to be attacked in this manner anyway - the defense is also the deterrent.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • 2
    It's worth noting that this is a common error when users have tabs open for long periods of time, like if they're working on something. If their session expires, and they log back in from another tab, they will get this error when they submit their form from the old tab. So if it's important, make sure the form is not lost! – Captain Hypertext Jan 07 '16 at 15:55
  • 2
    I'd say 99 out of a 100 times when your CSRF protection triggers it is actually somewhere in development when a dev plays around on an API and forgot about CSRF. In such a case having an informative response can be valuable. – fgysin Nov 22 '21 at 12:23
4

How about:

401 Unauthorized or 403 Forbidden

Brian McGinity
  • 5,777
  • 5
  • 36
  • 46