First of all we have to try and understand that how CSRF actually works for attackers, it actually utilizes any active authenticated sessions for the user against any server i.e. say you are currently logged into your google account or facebook account. nowadays as more and more web applications are using SSO or Single Sign On we are becoming more vulnerable to these attacks.
Now just suppose your session is active and you receive a mail from iwanascrewyou@hacker.com with a link which was explicitly created to download or export your contact list so that it can get more targets. if you click on the link which says like www.owasp.org, but in case you are working for or own an older application then you might have to add some new components and folllow some methodology
- We have to authenticate each and every link or form present in your application
- For that we will have to use some kind of authentication token mechanism
- a Validator should have to be implemented say as a Servlet Filter if you have a centralized controller
So if you can implement something like above then you could be assure that your application is secure more details as on how to implement this is available on OWASP. kindly have a look if you are interested
Posts
