Preventing Cross-Site Attacks on Your Website


There are many types of cross site attacks that a malicious user can use to gather information from your website and potenitally cause significant damage.

The following links provide very useful infromation for any web developer that allows content to be entered from their users.

HTTP Only Cookies - Setting your cookies to http only prevents an attacker requesting cookies from your website and helps prevent attackers stealing account information from your site.

The following example shows how to write an HttpOnly cookie

void Page_Load(object sender, EventArgs e)
        // Create a new HttpCookie.
        HttpCookie myHttpCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // By default, the HttpOnly property is set to false 
        // unless specified otherwise in configuration.

        myHttpCookie.Name = "MyHttpCookie";

        // Show the name of the cookie.

        // Create an HttpOnly cookie.
        HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());

        // Setting the HttpOnly value to true, makes
        // this cookie accessible only to ASP.NET.

        myHttpOnlyCookie.HttpOnly = true;
        myHttpOnlyCookie.Name = "MyHttpOnlyCookie";

        // Show the name of the HttpOnly cookie.

Cross-Site Request Forgeries -Have the potential to allow attackers to perform abitrary actions on your website. For important actions completed on your website you can do the following to prevent this type of attack.

1. Check the referrer. The HTTP referrer, or HTTP "referer" as it is now permanently misspelled, should always come from your own domain. You could reject any form posts from alien referrers. However, this is risky, as some corporate proxies strip the referrer from all HTTP requests as an anonymization feature. You would end up potentially blocking legitimate users. Furthermore, spoofing the referrer value is extremely easy. All in all, a waste of time. Don't even bother with referrer checks.

2. Secret hidden form value. Send down a unique server form value with each form -- typically tied to the user session -- and validate that you get the same value back in the form post. The attacker can't simply scrape your remote form as the target user through JavaScript, thanks to same-domain request limits in the XmlHttpRequest function.

3. Double submitted cookies. It's sort of ironic, but another way to prevent XSRF, essentially a cookie-based exploit, is to add more cookies! Double submitting means sending the cookie both ways in every form request: first as a traditional header value, and again as a form value -- read via JavaScript and inserted. The trick here is that remote XmlHttpRequest calls can't read cookies. If either of the values don't match, discard the input as spoofed. The only downside to this approach is that it does require your users to have JavaScript enabled, otherwise their own form submissions will be rejected.

Preventing CSRF and XSRF Attacks - This link further explains the dangers of cross-site attacks and methods to prevent them