Spring Security 3.2 CSRF Token - How to be protected when the post params modified by intercepting POST request?

Question

I am new to Spring Security; with the help of tutorials I could setup in memory authentication and CSRF token. This works fine; users are authenticated and tokens are generated.

Issue: When I intercept my own form post using fiddler, modify POST parameters and execute HTTP POST requests it successfully submits the requests with 200 OK code. I am expecting 403 in such scenarios.

I think one solution to achieve this is to generate tokens per request instead of per session. But this approach has it's own issues.

Can you please suggest better approach to protect against such scenarios? Also Doesn't this above scenario demonstrate the session fixation attacks?

Best regards,

score 0 · Answer 1 · answered Sep 12 '14 at 13:13

0

CSRF tokens do not protect you from man-in-the-middle attacks. A CSRF token is normally just a random string, a shared secret. It is not a cryptographic signature.

A simple way to protect from man-in-the-middle is to use HTTPS protocol.

answered Sep 12 '14 at 13:13

holmis83

15,922
5
82
83

Spring Security 3.2 CSRF Token - How to be protected when the post params modified by intercepting POST request?

1 Answers1