2
Introduction
Cross-Site Request Forgery (CSRF) is an exploit which hijacks the authenticated user session to send unauthorized
requests to a server. For the server receiving the requests, it appears that the action is initiated by an authenticated
user. The actions could weaken the security of the server which a hacker can exploit to take control over the server.
Browsers are inherently trusted and are designed to cache the authenticated session cookie (until it expires). When the
user authenticates to a server, the server generates a session authentication cookie which gets cached by the web
browser. This cookie will be automatically included by the browser for any subsequent request going out to the server.
When the user who has already logged into a target server clicks on a well formed link unknowingly, the link can execute
a specific action on the target server using the cached session information in the browser. Attackers could formulate
such links and hide them inside an email body or on a web portal that has been compromised.
There are methods by which CSRF attacks can be detected and prevented by the server. This technical whitepaper
provides insight into techniques that will be used to prevent such attacks for the Embedded Web Server on HP
FutureSmart devices.
Detailed Description
The Embedded Web Server (EWS) is one of the primary configuration and management interfaces on HP FutureSmart
Devices. For security purposes, EWS requires a user to provide Admin credentials. EWS employs cookie based
authentication with a default timeout value of 30 minutes. Authentication cookies are typically cached by browsers
making the EWS susceptible for the CSRF attack.
The EWS server can employ security measures to prevent CSRF attacks. Standard industry practices include:
Checking Origin Header
Checking Referer header
CSRFToken authentication
Origin Header:
The Origin header provides identity of the security contexts that caused the user agent to initiate an HTTP request. Web
servers can prevent the CSRF attack by allowing the requests if the Origin header contains known or white-listed origins.
This safeguards the server from unknown or cross domain attacks.
Referer Header:
The Referer header provides identity of the webpage or URI that referred the request being made. The web server can
prevent the CSRF attack by examining the hostname in the Referer URI. The check would be similar to Origin header and
thus it protects the device from unknown or cross domain attacks.
CSRFToken:
Origin and Referer headers provide safeguards against unknown domain attacks, however these are not mandatory
headers. In the case both headers are not present in the incoming request, the web server would not know if this is an
authentic request or an attack. In such cases, the CSRFToken provides a means to protect servers against the CSRF
attacks.
A CSRFToken is a cryptographic randomly generated value. These tokens can be generated on per session basis. Tokens
are inserted within HTML forms as “CSRFToken” when the form is fetched from the web server. When the web client
submits the HTTP request, the client application must include the CSRFToken “CSRFToken”.