Aug 30, 2020

XSRF in the World

I remember learning about XSRF ("Cross Site Request Forgery") at work, and seeing how spring for example help you mitigate these attacks by generating an extra parameter to a form that is difficult to predict for a potential hacker. Looking at it now though, I still need a brush up on what actually enables the hacker to perform this attack.

So first, the idea behind the XSRF is that a hacker makes the use perform a web request from ones browser that was not really intended.

Why would you want to do that? Well say that the attack sends over some money from the user's bank account, or say that the request changes the price on an ad that the user has put out online (this has actually happened in real world Germany). The thing is that when the user's browser sends a request it includes all of the authentication cookies etc. which enables authorization to perform requests that the hacker might find desirable.

Now, web request are performed with something called a "method". Most common examples of these are: GET, POST, PUT and DELETE. To make a user perform an unwanted GET request to a page is simple. You can simply put in an image with the desired URL as the source attribute, and this will trigger a GET request. These requests are usually not very dangerous though, because any sane API designer would not put any system altering interactions behind an end point that is accessed using GET.

Instead the more desired requests are most likely POST, PUT or DELETE. These are protected by the so called SOP (Same Origin Policy), which prohibits an alien web page to perform these requests to you page. Of course, if you have poorly configured CORS (Cross Origin Resource Sharing) rules setup for your page, these operations might be possible, but that is also not to be expected.

So, how does someone make your browser perform a POST (for example) that you don't desire? Perhaps they have performed an XSS (Cross-Site Scrip Attack) on your page and managed to inject a script that performed the request from your page? That would be one scenario.

The most likely scenario would probably be to have a form on an alien page and make it submit towards your page. This way you can get your malicious POST sent, because the SOP only protects from requests sent from page scripting, not from form submits.

Code of the Day

I'm feeling every bit of the pain now when implementing a more complex feature into my geometry library. The problem is that a polygon consists of multiple line segments, and if you have a line intersect a polygon just in the junction between two line segments it might look to the algorithm as if the line intersects two lines instead of one, which is algorithmically inconvenient. The need for a logical convention that is consistent throughout the project is needed.

  private getHeightIntervalIncludingP1ExcludingP2() : Interval {
    if (this.p1.y < this.p2.y) {
      return new Interval(this.p1.y, this.p2.y, true, false);
    return new Interval(this.p2.y, this.p1.y, false, true);