How to prevent cross site request attack (XSRF / CSRF) using URL rewriting?

Question

How to prevent cross site request attack (XSRF / CSRF) using URL rewriting?

CSRF / XSRF can be prevented using a number of methods.

One way is to use a token that is unique to the client session, with every request sent by the client to the server; which is checked on the server side. If the request token and the server-side token match, the request is allowed to enter the application, and if not, it is not allowed to enter. Thus, a CSRF attack will be detected.

Although the idea of the method is very clear to me, I'm not sure if rewriting URLs can help prevent a CSRF attack? Can a security guru shed light on this?

+4

security url-rewriting csrf

Jugal shah Jul 31 '09 at 15:36

source share

1 answer

Steven · Accepted Answer · 2009-07-31T15:53:03+0000

Here's a short story that talks about rewriting URLs. It says:

We could reduce most of the risk of these vulnerabilities by frequently changing our URLs - not every 200 years, but every 10 minutes. Attackers will no longer be able to exploit application vulnerabilities via the mass mailing of poisoned hyperlinks, because the links will be broken and invalid by the time the messages reach the alleged victims.

I think that (and the article agrees) is one aspect of a general approach to preventing this problem. Microsoft also has a good article that talks about this.

How to prevent cross site request attack (XSRF / CSRF) using URL rewriting?

More articles: