Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Include Unique Tokens in HTTP Requests

  
  

What to Do

Include unique tokens in HTTP requests when performing sensitive operations to prevent Cross-Site Request Forgery (CSRF).

Why

CSRF may be possible when an attacker can form a URL, which performs an action on the behalf of an authenticated user. Forming such URLs becomes much more difficult, if unique tokens are included in HTTP requests. Including difficult to predict token in HTTP requests is an effective defense against CSRF attacks.

How

To include unique tokens in HTTP requests:

  1. Identify sensitive operations. Review application design and code to identify all operations that require authorization.
  2. Identify code that performs sensitive operations. Identify all pages that are involved in performing sensitive operations - this includes both the pages that link to sensitive operations and the code that actually carries out the sensitive operations.
  3. Choose a method for generating unique tokens. There are different ways to generate unique tokens. One approach is to use the uniqid function combined with a hash based on current time. For example:

uniqid(md5(microtime()), true);

  1. Add the unique token to the session. Add code that adds the generates unique tokens and stores them in session variables to the pages that link to sensitive operations. For example:

session_start();
$_SESSION['CSRFToken'] = uniqid(md5(microtime()), true);

  1. Add unique tokens to HTTP requests. Add code that sends the generated unique tokens in HTTP requests to the pages that link to sensitive operations. One of the simplest ways to do this is to include the tokens in hidden fields in forms. For example:

<input type="hidden" name="CSRFToken" value="<?php echo $_SESSION['CSRFToken'] ?>" />

  1. Add token validation code. Add code to the pages that carry out sensitive operations that compares the tokens sent in HTTP requests to the tokens stored in session variables. Comparing the tokens in HTTP requests to tokens in session variables makes sure that the tokens are generated by the server as a part of normal application workflow and therefore the requested action is being performed by a legitimate user. The validation code should look something like the following:

session_start();

if ($_POST['CSRFToken'] !== $_SESSION['CSRFToken']) {
  // The tokens don't match - possible CSRF detected
  die('Possible CSRF');
}
// Validation passed, so tokens match - perform the sensitive operation

Additional Resources

 

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics