0

In my previous question, John Wu advised me to use a per session CSRF token, and told me to ask another question about guarding the CSRF Token.

How can I guard a CSRF token which is a per-session type one, so that it can not be stolen by an attacker?

googol8080
  • 21
  • 1
  • 4

1 Answers1

2

There is little you can or need to do to guard the CSRF token. Perhaps there is more, but I can only think of four things:

  • Don't put it in a URL parameter where it will be logged in all sorts of places.
  • If you are only serving your site over HTTPS, mark any cookies involved as secure.
  • Invalidate the token both client side (via cookie settings) and server side so that old tokens can not be used.
  • Be careful with CORS so that you do not accidentally make something containing the token available from another origin.

And then there is the issue of XSS. If you are vulnerable to that, it could be used to steal the CSRF token, since it can not be HTTP-only. There is nothing you can do about this, other than making sure you are not vulnerable to XSS. Use CSP, sanitize your input with a good library, scan your site, etc, etc.

However, if you have XSS issues you have bigger problems than the CSRF token being stolen.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • Hello, thanks for the answer, what is "CORS" and "SOP" ? And how can I make sure that I am not vulnerable for a XSS ? Thank you. – googol8080 Sep 20 '16 at 11:38
  • CORS = [Content Origin Resource Sharing](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing). (If you are not using it, you do not need to worry about it.) SOP = [Single Origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) (Not mentione in this answer, though.) How to protect against XSS is a huge topic. I give some pointers in my answer, [here](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) is one more. – Anders Sep 20 '16 at 11:54
  • I do not get the meaning of the untrusted data owasp was saying. – googol8080 Sep 20 '16 at 12:01
  • Untrusted data is data that could potentially contain attacks (e.g. data provided by users in forms or URL paramters or HTTP headers or whatever). – Anders Sep 20 '16 at 12:03