Do login forms need tokens against CSRF attacks?

by

Yes. In general, you need to secure your login forms from CSRF attacks just as any other.

Otherwise your site is vulnerable to a sort of “trusted domain phishing” attack. In short, a CSRF-vulnerable login page enables an attacker to share a user account with the victim.

The vulnerability plays out like this:

  1. The attacker creates a host account on the trusted domain
  2. The attacker forges a login request in the victim’s browser with this host account’s credentials
  3. The attacker tricks the victim into using the trusted site, where they may not notice they are logged in via the host account
  4. The attacker now has access to any data or metadata the victim “created” (intentionally or unintentionally) while their browser was logged in with the host account

As a pertinent example, consider YouTube. YouTube allowed users to see a record of “their own” viewing history, and their login form was CSRF-vulnerable! So as a result, an attacker could set up an account with a password they knew, log the victim into YouTube using that account — stalking what videos the victim was watching.

There’s some discussion in this comment thread that implies it could “only” be used for privacy violations like that. Perhaps, but to quote the section in Wikipedia’s CSRF article:

Login CSRF makes various novel attacks possible; for instance, an
attacker can later log in to the site with his legitimate credentials
and view private information like activity history that has been saved
in the account.

Emphasis on “novel attacks”. Imagine the impact of a phishing attack against your users, and then imagine said phishing attack working via the user’s own trusted bookmark to your site! The paper linked in the aforementioned comment thread gives several examples that go beyond simple privacy attacks.

More Related Contents:

  1. How to properly add cross-site request forgery (CSRF) token using PHP
  2. Post request in Laravel – Error – 419 Sorry, your session/ 419 your page has expired
  3. Using a string path to set nested array data [duplicate]
  4. “The page has expired due to inactivity” – Laravel 5.5
  5. Generating cryptographically secure tokens
  6. best practice to generate random token for forgot password
  7. CSRF (Cross-site request forgery) attack example and prevention in PHP
  8. Laravel catch TokenMismatchException
  9. New CSRF token per request or NOT?
  10. Codeigniter CSRF – how does it work
  11. PHP form token usage and handling
  12. Codeigniter CSRF valid for only one time ajax request
  13. How to log in to phpMyAdmin with WAMP, what is the username and password?
  14. laravel 5 : Class ‘input’ not found
  15. Extract URL’s from a string using PHP [duplicate]
  16. How do I iterate through DOM elements in PHP?
  17. Can a PHP function accept an unlimited number of parameters? [duplicate]
  18. I want a pagination to my options page of wordpress plugin?
  19. PHP: mysql v mysqli v pdo [closed]
  20. How can I make an array of times with half hour intervals?
  21. Accessing Order Items protected data in Woocommerce 3
  22. Can I have multiple $_GET with the same key, different values?
  23. .htaccess Redirect non-WWW to WWW preserving URI string
  24. Wrap DOM element in another DOM element in PHP
  25. Get Return Value from SQL Stored Procedure using PHP
  26. PHPMailer error: SMTP -> ERROR: Failed to connect to server
  27. Best way to handle dirty state in an ORM model
  28. Email validation using regular expression in PHP
  29. Best Way To Autoload Classes In PHP
  30. PHP Echo text Color

Leave a Comment