Q6

a. Cross Site Request Forgery (CSRF) attacks against web sites that rely solely on cookies for session management. Briefly explain a CSRF attack on such a site.

b. A common CSRF defense places a token in DOM of every page (e.g. as hidden form element) in addition to the cookie. An HTTP request is accepted by the server only if it contains both a valid HTTP cookie header and a valid token in the POST parameters. Why does this prevent the attack from part(a)?

c. One approach to choosing a CSRF token is to choose one at random. Suppose a web sited chooses the token as a fresh random string for every HTTP response. The server checks that this random sting is present in the next HTTP request for that session. Does this prevent CSRF attacks? If so, explain why, if not describe an attack.

d. Another approach is to choose the token as affixed random sting chosen by the server. That is, the same random sting is used as the CSRF token in all HTTP response from the server over a given time period. Does this prevent CSRF attacks? If so, explain why. If not, describe an attack.

e. Why is the same-origin policy important for the cookie-plus-token defense?