How To Prevent OSRF Attacks On Your Web Applications
OSRF stands of On-site request forgery. It is much similar to CSRF (Cross site request forgery) but in OSRF the request is generated by the hacker on the vulnerable site that the victim is using and takes control of where the victim's response is to be sent.
CSRF and OSRF can be metaphorically compared with work from home and work from office concept. Here CSRF is work from office and OSRF is work from home. Although the work done is similar, the place where the work is being done differs. Similarly in CSRF and OSRF although the attack is to forge a request the place where the request is forged differs. In OSRF the request is forged on the victim's site by the victim and in CSRF the same is done by hacker on a form created by himself.
Example: Let's assume an application where the admin has privileges to view comments sent by users. The hacker posts a comment that is followed by a link. This link can contain any malicious code such as gaining the cookie of the admins session and forwarding it to the hackers account or anything as such. On clicking on the link or taking the mouse over the link according to the code, the attack will be initialized on the admins site by the admin. This execution of request forgery on the victim's site by the victim is called On-site request forgery.
There are only few possibilities for hackers because the request has to be initiated by the victim. However if the request is initialized following are the possibilities for the attacker:
- Referrer bypass
- Same-site cookie bypass
- Origin bypass
- Control over http headers or methods.
The solution to OSRF is to follow the below mentioned points:
- Filtering the user inputs before it gets incorporated into response.
- Include a CSRF token. Keep it as a hidden parameter.
- The CSRF token value must contain random numbers, alphabets and characters which are not guessable.
- Validate the token on server and client side.
