Introduction to Web Security

Two major web security vulnerabilities are cross-site forgery (CSRF) and cross-site scripting (XSS). In CSRF, the attacker tricks the user to hit a link that makes a request to a webpage that modifies state i.e. a bank transfer. Attackers can trick users into hitting this link through mechanisms such as invisible images with malicious hrefs in emails. If the user is logged in and is using cookie based authentication, then the cookie automatically gets sent. Even if the cookie is encrypted, the server will still decrypt it properly and the attack will work.

Multiple ways exist to stop CRSF attacks. One method is for the server to check the referrer/origin header of the http request and only allow requests from pages of its own. If the victim opened up a link from their email, then the referrer would be from the email and the server can effectively filter that out. Furthermore, developers can embed unique CSRF tokens for each user in forms itself. This token is not stored in the cookie but the site’s javascript will ensure it is sent for the request. The attacker has no way of discovering this token as it is unique for each user. This solution problematically increases the complexity on both the client and the server. Finally, the developer can use local storage to store authentication information instead of cookies. Unlike cookies, local storage is not automatically included in web requests. Consequently when the user clicks on the attacker’s link, the authentication token will not be included.

XSS is another significant vulnerability where an attacker is able to successfully embed attacking code in the the actual page. Because this code is hosted by the site, it can access local storage and make requests posing as the user. Attackers successfully inject this code in pages such as forums that allow users to submit content to be included in the page. To prevent these attacks, the server must sanitize these submissions and ensure so no malicious code is present.