Question: When or when not to use CSRF in APIs?

Question

When or when not to use CSRF in APIs?

Answers 1
Added at 2016-12-27 05:12
Tags
Question

Spring Security Documentation states that

18.3 When to use CSRF protection

When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

But obviously there are some scenarious, which it permits, when you do not, such as when you have an unencrypted communication (i.e. no SSL). I want to know more about what scenarious you'd still want to use CSRF protection in.

Answers
nr: #1 dodano: 2016-12-27 11:12

Background

In essence, CSRF revolves around a malicious website, phishing email, third-party program or things of such nature, attempting to cause the victim's web browser (i.e. Chrome) to do something they do not wish to do.

For example - You play a videogame named X which allows you, as a player, to have a certain amount of currency that you can purchase, sell and trade with other players.

You then receive a cool email saying you can win a lot of gold, by clicking this link. The user clicks the link and suddenly transfers all his belongings to the malicious user's account without knowing, all through a simple HTTP request. :-(


Protection methods (For Web Services [No UI])

Now in many cases, web applications make use of:

  • Anti-CSRF tokens
  • CAPTCHAs
  • Re-authentication (log the user out)

However for a REST service, the case shifts slightly. You would need to make use of a custom request header such as the -

X-Requested-With

The reason behind it is as follows (quoting OWASP's article which I highly recommend reading) -

"This defense relies on the same-origin policy (SOP) restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers don't allow JavaScript to make cross origin requests."


Resources

I have listed a few resources that you may want to go over. CSRF is quite an interesting vulnerability that bridges security flaws with social engineering. Hopefully you will find them useful.

Source Show
◀ Wstecz