(1) Field of the Invention
The present invention relates to the field of web application vulnerability and more particularly to prevention of Cross Site Request Forgery attack.
(2) Description of the Related Art
Security tokens guard against a common form of web application vulnerability called a Cross Site Request Forgery (XSRF) attack. This vulnerability utilizes weaknesses in the design of web authentication mechanisms. A web browser is typically authenticated once per browsing session to a secured web destination. The attacker uses that persistent authentication to deceptively initiate requests to an authenticated web destination without the knowledge of the browser user. A XSRF attack commonly takes the form of hidden requests to another secured site within a malicious page. If the viewer of the page with hidden requests had previously visited and authenticated the target site, then the requests initiated by the malicious page will happen transparently to the user. This process can be used to exploit any of the exposed functionality of target site and gather privileged information with the browser user's full privilege level on the target site.
One effective technique to prevent XSRF attacks requires the use of a unique token of data passed between requests from the browser to the target site. By passing unique data between requests, a malicious site is prevented from attacking another web destination because the malicious site will have no knowledge of the required unique data.
A good description of the established best practice approach to prevent XSRF attacks can be seen at “Security Corner: Cross-Site Request Forgeries”, published in php|architect on 13 Dec. 2004, specifically the part about including tokens in the form data.
Examples
Standard URL
https://domain.com/pathlto/web/application.cgi
Standard URL including token
https://domain.com/path/to/web/application.cgi?token=A9DFEZ134ZFYH
Existing methods of employing this measure require that the target site be designed from the beginning with this technique in mind, In other words, since the token is an argument of the URL the using application must be programmed to accept this token. All pages must handle the token and ensure that links and functionality within the page pass and accept the token of data. While this technique is effective, it requires redesign of legacy web applications and sites. In many cases this redesign can introd
Development of a technique for including security tokens in web authentication mechanism which can be included in all requests and thus obviates the need to reprogram legacy web applications represents a great improvement in the field of web security and satisfies a long felt need of web site programmers, web site operators and the browsing public.