[Info-vax] OS implementation languages

[Arne Vajhøj]

On 9/9/2023 9:06 PM, Arne Vajhøj wrote:
> On 9/9/2023 7:22 PM, Chris Townley wrote:
>> CSRF - what is it?
> 
> Cross Site Request Forgery
> 
> Simple (slightly oversimplified) example:
> 
> * you login to your bank and the bank web server provide
>    you with a session cookie that your browser use for
>    all requests in that session
> * you need to do a money transfer so you fill out a
>    form with amount + from account + to account
> * that form get submitted to the bank as a POST request
> * without closing the browser you go to www.verybadsite.com
> * they show you a form with USD amount and expecting them
>    to show equivalent GBP amount
> * but the form has 3 invisible fields: amount +
>    from account + to account filled out with an amount +
>    your account + their account and the POST URL is the banks
> * when you hit submit the transfer goes to the bank
>    and your super friendly browser send the cookie
>    with the request and the super friendly bank web server
>    has kept the session valid
> 
> https://en.wikipedia.org/wiki/Cross-site_request_forgery

One of the tools used to prevent it is a anti forgery token.

Basically when the bank provide you with the form then
it also generates a hidden field with a huge cryptographic
secure number and saves the same number in the session.
The the code processing the POST request checks if the
submitted token matches the token in the session.

The bad guys cannot guess the token. And the bank should
remove the token from session as soon as the POST request
is received so it can only be used once (which has the
positive side effect of also preventing double submits!!).

Arne